This is a major security risk, not only to your website but it could potentially allow your website to be used to DoS attack another server.
I can understand that this could be used by others to DoS my server by mass uploading images, but they would first have to MANUALLY create an account. Most spammers don't do manual, they do automated, and those tend to fail to create accounts automatically.
But I don't understand how MY SERVER can DoS another one with this plugin Care to elaborate?
Please note I am not talking about spammers, I am talking about a real security issue that would be performed by a human, or if simple enough, a script.
Ok, think about this. Your server likely has a nice fast internet connection, and you're letting someone input a URL to an image to download and store on your server. If someone scripted something to make your server fetch say 100 images at once from a remote server, your nice fast internet connected server would end up performing a DoS attack. This is known as an amplification attack, the attacker could perform this attack using a dial up connection at little expense to themselves.
The other danger is you need to verify the file being fetched is actually an image. What is stopping someone from plugging in a URL to an "image" that is really an malicious file with 100GB of data appended to the end of the image data? Your website would have no way of knowing it's fetching a ton of useless data unless you write the code to parse the image header and determine if the downloaded data is going to exceed the actual image size. An attacker could use this to make your server DoS itself, again with very little effort or bandwidth. They could even just request a single file and fill up your HDD crashing out other critical services like MySQL.
Please be aware that I daily see websites attacked by other servers that have been compromised or have these exact issues I am describing here. It is a very common occurrence, and because these other website owners or developers never think of the security implications, the do not keep logs of who is triggering the upload/download making it near impossible to trace and filter. HTTP logs are not enough in these instances, I am talking actual application logging.