Because of this vulnerability in uploadify/scripts/uploadify.php, the attackers can execute arbitrary code by uploading a file with a double extension. After that they access it via a direct request to the file in the directory specified by the “folder” parameter.
Update the plugin.