Affected versions of this package are vulnerable to Arbitrary File Upload which allows attackers to execute arbitrary code via a crafted filename.
The conditions to be vulnerable are as follows:
eval (user input) file name as code
use the keepextension option
use Linux or =iOS (where <>` are valid file chars)
not using the filename option, or using it without validating user input
Upgrade formidable to version 3.2.4 or higher.