Remote file upload vulnerability was found in this plugin. When photo is uploaded, it is validated only partially. There is a possibility to upload a backdoor on the server hosting WordPress and it can be executed independently from that if the photo has not been yet approved. Also, there is a cross-site scripting vulnerability .
This vulnerability can be limited by hardening of the web server.
Found a vulnerability that puts your sites at risk?