The plugin does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.
Put the following payload in the "Folder for new files" and "Maximum size of uploaded file" settings of the plugin: "><script>alert(/XSS/)</script>