The plugin uses an easily guessable path to store user files, bad actors could use that to access other users’ sensitive files.
1. Upload a file using the plugin.
2. On another browser, access the newly uploaded file via:
https://vulnerable-site.tld/wp-content/uploads/sp-client-document-manager/[user's uid]/file.format