The plugin does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
CPE | Name | Operator | Version |
---|---|---|---|
wp-extra-file-types | lt | 0.5.1 |