(3) inject some php code inside jpeg files as EXIF metadata content:
this, in combinations with third party vulnerable code can be used
to compromise the server where PHP is installed.
Should be enough to check for php code inside the temporary files
before to copy the new avatar in "images/avatars/" folder