There's a web plugin too. It can issue GET requests. That's enough to probe a lot of interesting things, and I'll bet there's an endpoint somewhere on the web that will eval any other web request, so now you've opened up every web accessible API - again, all theoretical, but at least not too far removed from an exploit.