The Pie Forms for WP plugin used on WordPress websites has a security flaw that allows attackers to upload harmful files. This can happen in all versions of the plugin, up to version 1.6. The problem lies in the way the plugin checks the type of file being uploaded. While it does check for certain file extensions, it does not fully prevent the upload process from completing. This means that anyone, even without a username or password, can upload a file with a dangerous extension like PHP. This could potentially allow them to take control of the website. However, exploiting this vulnerability requires the attacker to correctly guess where the file will be saved, which is not easy. Additionally, the file name is generated using a secure method, making it harder to exploit.