Security Risk

I have run this plugin for a while now and had my site compromised last week because of it.

The plugin settings allows you to choose which file types are allowed to be uploaded. Even though this was set to allow only .pdf and .zip files to be uploaded, an attacker was able to exploit the file upload system, uploading a php script which then gave them full access to the site. These files were found within the folder where files are uploaded to.

After discovering this I attempted to do the same and was able to upload a .php script to my site and execute it without any resistance. This is a major flaw within the plugin and anyone running it should deactivate it immediately until it has been fixed. A simple google search for lays out the exploit and shows its been around for quite a while. A number of new updates for the plugin have been made since its discovery, but no fix.