Malicious user can bypass checking and upload .phtm or .php6 file which leads to stored XSS.
<a></a>
https://demo.microweber.org/demo/userfiles/media/default/123_7.phtm
https://drive.google.com/file/d/1eDNDRLquNuev0diRuMt3Z2cxKhEj5bt4/
<img src>
https://demo.microweber.org/demo/userfiles/media/default/123.php6
https://drive.google.com/file/d/15KatRGUfbCndq3oMHhUzjXosIfTGW908/
Stored XSS