Users can upload a PHP file into the plugin and execute it via file upload

[tsv2013]

https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/

[tsv2013]

May be we can add links to the following resources:
https://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/
https://www.wpbeginner.com/wordpress-security/