The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.
1. โEnable modal login formโ option in the โDownloads > Settings > Frontend Access > Front-end Settingsโ section.
2. Exploit shortcode:
[wpdm_modal_login_form class='" onmouseover="alert(1)']