WP-Curricul Vitea Free <= 6.3 - Arbitrary File Upload
The plugin WP-Curriculo Vitae Free suffers the vulnerability to allow an arbitrary file uploaded from the remote attacker. It supports a registration form that allows the remote visitor to register their personal information on the plugin user's website. The user with admin privilege could use the shortcode [formCadastro] in one page and the information about the register, including the profile picture and resume, will be stored in the local directory without any restriction in file extension.
Here is video that proof the vulnerability and present exploit process.