The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE
Upload a File: The response give the path to the file uploaded: {“type”:“success”,“url”:“https://example.com/wp-content/uploads/wp-custom-uploader/1665086303.php”,“filename”:“1665086303.php”,“message”:“Image deleted.”}