The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf
The file won’t show up via the frontend/backend, but will be uploaded in the user folder (ie in wp-content/uploads/user_uploads//payload.pdf)