plupload is vulnerable to cross-site scripting. An attacker can inject and execute malicious javascript through the file.name
field as it does not properly encode the user input file name.
github.com/moxiecode/plupload/blob/120cc0b5dd3373d7181fd11b06ac2557c890d3f0/js/jquery.plupload.queue/jquery.plupload.queue.js#L226
github.com/moxiecode/plupload/blob/120cc0b5dd3373d7181fd11b06ac2557c890d3f0/js/jquery.plupload.queue/jquery.plupload.queue.js%23L226
github.com/moxiecode/plupload/commit/0d00239327c3e4e5b76478c94ec7332ce1e7ddc5