If I'm correct you only check the file extension during upload. Also, the files are stored, with the same name, in the WP upload directory, directly accessible via the browser. This doesn't look too secure.
The following document offers some thought on the matter:
I'be interesting in talking about this and getting your opinion. Thanks.