Critical security problems

We have identified critical security problems related to your plugin’s file upload handling and cron-based file deletion.

1. Publicly accessible uploaded files
• Uploaded files are stored in the standard  wp-content/uploads  directory (and a predictable subdirectory) and are publicly accessible without any protection.
• The plugin only adds a hashed subdirectory when the user has a valid  wpcf7_guest_user_id  cookie.
• If this cookie is not present, files are placed in a non‑hashed, predictable location and remain directly accessible by URL under their original filenames. This creates a serious information disclosure risk.

2. Cron event for daily cleanup not scheduled
• The daily cron event for removing old uploaded files is not registered at all, even though file auto‑deletion is enabled in the plugin settings.
• As a result, uploaded files accumulate indefinitely and remain publicly accessible.
• I have checked the cron list, and there is no event from your plugin responsible for deleting these files.

3. Environment details
• WordPress: latest stable version
• Plugin: latest available version from the official source
• PHP: supported and recommended version for current WordPress

Expected behavior
• Uploaded files should never be publicly accessible in a predictable location without protection (for example, they should always be stored in a hashed/non‑guessable path, regardless of cookies, or blocked via access rules).
• The daily cron event for cleaning old files should be reliably scheduled and executed whenever the auto‑delete option is enabled.