Due to the plugin not properly checking the file being uploaded (via the dnd_codedropz_upload AJAX action), an attacker could bypass the checks in place and upload a PHP file. There was a working exploit provided along with this vulnerability. It also requires the Contact Form 7 plugin to be installed on the target machine.
https://github.com/amartinsec/CVE-2020-12800/blob/master/exploit.py