The ApplyOnline WordPress plugin before 2.6.3 does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain
https://wpscan.com/vulnerability/242dac1f-9a1f-4fde-b8c7-374bd451071d/