This plugin is prone to a arbitrary file upload vulnerability, because the code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded.
Solution
Update the plugin.
Classification
Type Arbitrary File Upload OWASP Top 10 A1: Injection