The plugin does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
https://example.com/wp-admin/edit.php?post_type=envira&page=envira-gallery-lite-addons&"><script>alert(1)</script>