The plugin contains a Non-Arbitrary File Upload vulnerability due a missing form id check and an incorrect nonce check in the dnd_codedropz_upload_wc and dnd_codedropz_upload_delete_wc AJAX actions, which makes it possible for unauthenticated attackers to upload files to the server without it being assigned to an existing form and delete files from the server.