The plugin does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users
https://example.com/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://wpscan.com