The popular WordPress plugin, Contact Form 7 was found to be vulnerable to Unrestricted File Upload.
Append a unicode special character (from U+0000 [null] to U+001F [us]) to a filename and upload it via the ContactForm7 upload feature
contactform7.com/2020/12/17/contact-form-7-532/#more-38314
www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/
www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/