The plugin was affected by a Non-Arbitrary File Upload and Cross-Site Request Forgery (CSRF) vulnerabilities. The two vulnerabilities allow us to upload files to the server, even with a script.