Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an authenticated arbitrary file upload vulnerability in the Football Pool plugin.
The plugin has a number of admin pages that are available to users with the ‘manage_football_pool’ capability. The plugin creates a new role with that capability as well as providing it to Editor
Source: Security Feed