A vulnerability was discovered in the MailPoet WordPress plugin that allows the attacker to upload a file to your server remotely.
The MailPoet plugin developers have fixed this vulnerability now. So make sure to update your copy of the MailPoet plugin (if you are using it) to the latest version.