The plugin does not properly prevent attackers from modifying the target path to which the plugin will move files, via the wfu_newpath parameter. This could allow administrators to move files outside of the site’s root, which may be a problem in multisite configurations.