The plugin does not validate the file types, and uses a hardcoded encryption key during the profile picture upload process. Authenticated users with minimal permissions, such as a subscriber, can thus upload arbitrary files, potentially leading to remote code execution.