My Account Page Editor < 1.3.2 - Subscriber+ Arbitrary File Upload

Proof of Concept

# Prerequisite:

This vulnerability requires the "Upload Profile Picture" option to be enabled, which isn't the default. You can activate that feature on the following page: /wp-admin/edit.php?post_type=kamy_acc&page=customize-my-account-page-layout&tab=profile_img_settings. 

It also needs to have the "Endpoints as:" setting value be "theme", which can be verified at /wp-admin/edit.php?post_type=kamy_acc&page=customize-my-account-page-layout&tab=endpoints_settings. You may need to press "Save Settings" once, even if it's the default as it does not seem like this option is always populated in the database.

# Proof of concept:

Note: We are assuming WooCommerce's default user account page (/my-account/) hasn't changed.

1) Have a malicious PHP file handy. It can be as simple as containing <?php phpinfo();
1) While logged-in as a Subscriber, or WooCommerce customer, visit /my-account/
2) Click on your user's avatar to change it, and upload your PHP file instead. (Since v1.3.0, the request made needs to be intercepted and the Content-Type of the file changed to image)
3) Search for your uploaded PHP file somewhere in /wp-content/uploads.