The plugin does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.
Put the following payload in the “Folder for new files” and “Maximum size of uploaded file” settings of the plugin: ">
CPE | Name | Operator | Version |
---|---|---|---|
shared-files | lt | 1.6.57 |