The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
https://wpscan.com/vulnerability/7f9271f2-4de4-4be3-8746-2a3f149eb1d1