The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Multiple inputs in the plugin’s settings – for example frou_filenaming_rules_opt[datetime_format]
– are vulnerable to XSS. Entering the string Y-m-d_H-i-s_u\<\s\c\r\i\p\t\>\a\l\e\r\t\\(\1\\)\<\/\s\c\r\i\p\t\>
into setting textboxes results in XSS.