On a page where there is a form with a Signature field, run the following code in the web developer console while unauthenticated and submit the form


This will create the /wp-content/uploads/form-maker/signatures/signature-<10 digit number generated with rand(10)>.php file containing the PHP code echo "Hello World";. An attacker could either try to guess the pseudo random part, or wait until an admin view the submissions list which will call the file via an image tag and run the code