Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the 4 parameters: “compose_text” ( in a sendMail action to ajax/mail_functions.php), “text” (in an addComment action to ajax/profile_functions.php), “comment” (in an add_comment action to ajax/lounge_functions.php), or “name” (in a create_album action to ajax/gallery_functions.php).
Update the plugin.