WordPress: [Buddypress] Arbitrary File Deletion through bp_avatar_set

Hi, The bpavatarset action in BuddyPress when cropping avatars allows an attacker to arbitrarily delete a file the webserver can delete through the 'originalfile' parameter. For example: Create a user on a Buddypress-powered Wordpress instance any user is OK, doesn't need to be admin, just needs ...