The plugin does not validate a parameter via the get_remote_content REST API endpoint before making a request to it, which could allow any authenticated users, such as subscriber to perform SSRF attack. Note: We do not consider flushing of cache to be a security issue, therefore CVE-2023-1910 has not been added.
https://example.com/?rest_route=/getwid/v1/get_remote_content&get;_content_url=http://127.0.0.1/