Description The plugin does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.
Setup a listener on a localhost/LAN host (such as nc -l 127.0.0.1 9000), then as a contributor, put the following shortcode in a post and save its draft: [blogcard url="http://127.0.0.1:9000"]
Notice that the internal server (localhost:9000) received the request when the draft was saved