Pls report to joomla if needed
https://xakep.ru/2018/10/19/jquery-file-upload/?amp
You can see many videos on utube about this topic
I found some other upload plugins having same type of vulnerability.
The problem is not the script, it's the possiblity to upload any files.
If you verify the uploaded files (using exif or getimagesize) it's not a problem, only dumb dont check for uploaded file and all script have potential vulnerabilities, Vm permit uploading any type of files, so VM is vulnerable by default if an admin send a file.
But do you verify all free plugins, modules,component you download and install in Joomla ? i have already found in more then 10 Joomla websites vulnerabilities because this free extentions(and some paid) and some compagnies are well know in Joomla/VM community.