plupload is vulnerable to cross-site scripting. The vulnerability exists in addFiles
function of jquery.ui.plupload.js
because the html entities have not been encoded properly which allows an malicious attacker to perform unauthorized file uploads.