CVE-2021-34625: WP Upload Restriction <= 2.2.3 – Authenticated Stored Cross-Site Scripting
Missing Access Control in the saveCustomType function allows for authenticated users, such as subscribers, to add mime types and extensions through unsanitized parameters that makes it possible to inject malicious web scripts that later execute when an administrator visits the extensions page.