Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an an arbitrary file upload vulnerability in the All Post Contact Form plugin.
When the plugins shortcode, rlallpostcontactform, is on a post or page the the file /allpost-contactform-core.php is included. In that file the following code is run:
53 54
Source: Security Feed