The plugin does not validate the url attribute of its su_table shortcode before displaying its content, which could allow any authenticated users, such as subscriber to read arbitrary files from the server when the βUnsafe Featuresβ settings is enabled