The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Proof of Concept
Inject an XSS payload in the title by going to Settings » WP Attachments » Settings » List Head.
Now, inject XSS payload & HTML injection (<h2> myavatar<script>alert(2)</script>) in the uploaded image Title in Media Library.
Now, after opening the Post page, the browser renders the XSS payload of the attachment title and image title.
The HTML injection rendered as <h2> can be seen in source code. WordPress doesn’t execute the payload of the image name in the media, it only gets executed by the wp-attachment in the post.