## https://sploitus.com/exploit?id=WPEX-ID:80E0E21C-9E6E-406D-B598-18EB222B3E3E
# Prerequisite:
This vulnerability requires the "Upload Profile Picture" option to be enabled, which isn't the default. You can activate that feature on the following page: /wp-admin/edit.php?post_type=kamy_acc&page=customize-my-account-page-layout&tab=profile_img_settings.
It also needs to have the "Endpoints as:" setting value be "theme", which can be verified at /wp-admin/edit.php?post_type=kamy_acc&page=customize-my-account-page-layout&tab=endpoints_settings. You may need to press "Save Settings" once, even if it's the default as it does not seem like this option is always populated in the database.
# Proof of concept:
Note: We are assuming WooCommerce's default user account page (/my-account/) hasn't changed.
1) Have a malicious PHP file handy. It can be as simple as containing <?php phpinfo();
1) While logged-in as a Subscriber, or WooCommerce customer, visit /my-account/
2) Click on your user's avatar to change it, and upload your PHP file instead. (Since v1.3.0, the request made needs to be intercepted and the Content-Type of the file changed to image)
3) Search for your uploaded PHP file somewhere in /wp-content/uploads.