The plugin does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues
The XSS will be triggered anywhere in the backend Or, as admin: Create a .cfg file with the following content: a:1:{i:0;a:7:{s:5:“title”;s:29:“”;s:4:“vars”;s:0:“”;s:11:“description”;s:0:“”;s:9:“shortcode”;b:0;s:3:“php”;b:0;s:11:“wptexturize”;b:0;s:7:“snippet”;s:0:“”;}} Zip it and import it via the plugin’s Import feature