A critical unrestricted file upload bug in Contact Form 7 allows an unauthenticated visitor to take over a site running the plugin. An attacker could also commandeer the server hosting the site if there is no containerization used to segregate the website hosting the WordPress instance. The bug hunter credited for identifying the flaw, Jinson Varghese, wrote that the vulnerability allows a user to bypass any form file-type restrictions in the plugin and upload an executable binary to a website running 5.3.1 or earlier. The plugin developer was quick to fix the vulnerability, realizing its critical nature, according to researchers.
Source: https://threatpost.com/contact-form-7-plugin-bug/162383/