The upload directories of WordPress can be used by any plugin to store files.
Hackers exploit this by placing malware in the upload directories through vulnerable plugins.
With that malware, they can send spam and display advertisements for their own (often illegal) products on the website.
Securing the weak link
Preventing plugins from placing files in the upload directories is not an option since it would hinder their functionality.
However, you can ensure that the malware cannot be executed!
With this security plugin, you can simply click to disallow the execution of files (malware) in the upload directories.
This is one of the many options the security plugin offers to make your WordPress site much safer!