Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.
https://wordpress.org/plugins/pixabay-images/changelog/
https://exchange.xforce.ibmcloud.com/vulnerabilities/100036
http://www.securityfocus.com/archive/1/534505/100/0/threaded