The plugin does not properly check the value of the input “upload_dir”, which is modifiable by the user. As a result, by changing the value of this input, it’s possible to upload a file anywhere writable in the webserver.
1. Create a contact form and add a "multiple file upload" field.
2. Add the contact form to a page using the `contact-form-7` shortcode.
3. Visit the page on the frontend and drag a file into the upload section.
4. Intercept the request and append `/../..` to the `upload_dir` parameter.
5. See that the file is uploaded outside of the `wpcf7_drag-n-drop_uploads` directory.