The code in mailcwp-upload.php doesn’t check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target WordPress server: Exploitation requires the attacker to guess a writeable location in the http server root.