The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Exploit shortcode:
[wpcf7pdf_download type='text' class='" onmouseover="alert(1)"']
Exploit link:
http://localhost/exploit-page/?pdf-reference=63a3ddc576a74
Note:
1. The pdf reference value must be specified, which can be found in the Contact > Create PDF page - Last records section.
2. Contact Form 7 plugin is required.