Ultimate Membership Pro <= 7.5 - Arbitrary media upload
The ajax-upload.php endpoint doesn't check for the current user's capabilities (or that they are even logged in), so we can do a few things we shouldn't be able to do:
Without any credentials, you can simply POST the image file in the field ihc_file and it'll store it for you:
~$ curl -F "[email protected]" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
Typical WP media upload rules apply so YMMV on further exploiting this, but if nothing else you probably don't want random media uploaded to your site.