The plugin does not have CSRF check in an AJAX action, and does not validate user input before using it in the wp_remote_get() function, leading to a Blind SSRF issue Note: CSRF was fixed in 1.1.4, the SSRF in 1.1.5
Make a logged in admin open https://example.com/wp-admin/admin-ajax.php?action=wpfc_check_url&url;=https://127.0.0.1:443