The plugin does not properly check user capabilities in its file uploading AJAX endpoint, relying on WordPress nonces to do so. Unfortunately, the nonce can be leaked by any logged-in users, like subscribers. Since the Uploader library they use does not check file extensions at all, this may lead to RCE on sites running on NGINX servers.
The PoC will be displayed once the issue has been remediated