qdPM Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability - CVE-2020-7246

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality by leveraging a path traversal vulnerability in the users39photop_preview39 delete photo feature allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.