On the point of "this bug allows the user to delete the malicious disabled image and then upload a replacement," what's to stop them from uploading a replacement under a new image name anyway even with this "bug" fixed?
On the point of "this bug allows the user to delete the malicious disabled image and then upload a replacement," what's to stop them from uploading a replacement under a new image name anyway even with this "bug" fixed?