We have the same problem with our ultimate member installation. Files being uploaded to uploads/ultimatemember/temp.
WPvulndb.com: https://wpvulndb.com/vulnerabilities/9110
I advise to turn off php execution in the /uploads/ folder. Add this to a .htaccess file and upload it to wp-content/uploads/:
# Kill PHP Execution
<Files ~ “\.ph(?:p[345]?|t|tml)$”>
deny from all
</Files>