Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
As a contributor, put the below shortcodes in a post [MMFileList folder=‘…/…/’ format=‘img’ class=‘" onload=alert(/XSS/)//’] (the folder the reach must contain images for the XSS to trigger) [MMFileList folder=‘…/…’ class=‘" onmouseover=alert(/XSS/)//’] (the XSS will be triggered when moving the mouse over the generated list)