The WordPress plugin wp-file-upload does not adequately check the filetype before allowing it to be uploaded. It also uploaded files with execute permissions, allowing malicious payloads to be uploaded.
Proof of Concept
1. Install wp-file-upload on a WordPress site and activate it.
2. Create an upload form on a page.
3. Create a file named payload.php.....jpg with the contents
echo "You got pwnd";
4. Use the form you created to upload this payload
5. Navigate to /wp-content/uploads/payload.php.....jpg and see "You got pwnd" printed.