An issue exists in osCommerce v4, allows local malicious users to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature.