The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
http://mysite.com/wp-admin/admin-ajax.php?client_id=1&redirect=https://google.com&action=nf_oauth_connect