will cause the visitor’s browser to quietly upload a file using the WordPress site’s XMLRPC interface

It’s absurd that XMLRPC is still not disabled by default.