The plugin does not sanitise and escape the created folder names, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
As a user with the author role, go to Media > Library and create a new folder with the following payload: "> Then Add a new media (via Media > Add new), select the created folder with the payload, and upload a file, which will trigger the XSS. Any user using the malicious folder to upload files will have the XSS trigger
CPE | Name | Operator | Version |
---|---|---|---|
real-media-library-lite | lt | 4.18.29 |