The plugin does not sanitise and escape the created folder names, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
As a user with the author role, go to Media > Library and create a new folder with the following payload: "><img src onerror=alert(/XSS/)>
Then Add a new media (via Media > Add new), select the created folder with the payload, and upload a file, which will trigger the XSS. Any user using the malicious folder to upload files will have the XSS trigger