The plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink(), which leads to an arbitrary file deletion issue.
For more details about this issue, please see the reference.
$filename = dirname(dirname(dirname(__FILE__))).'/uploads/'.$_GET['xml'];
2020-10-07 (about 1 years ago)
2020-10-08 (about 1 years ago)