Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Click Simple Table Manager then "Export CSV" after selecting and saving a table in "Settings" tab.
2. Put the following in CSV file name then click Save: "><img src=1 onerror=alert(/xss/)>
3. An alert will load, and it will trigger each time an admin navigates to those settings.