1. Remove tmp-folder from webroot: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access. 2. Remove files from tmp folder even on negative checks: Implement a cleanup process to remove files from the temporary folder, regardless of whether the file extension check is positive or negative. 3. Consolidate image upload code for AJAX requests: It should be noted that there is code for handling image uploads over AJAX (and not through the API) under `bl-kernel/ajax/profile-picture-upload.php`. This code is similar, but different to the API image upload code. For instance, the AJAX code for image uploads includes MIME type validation to provide an additional layer of security. It is advised to consolidate the code into a single location for easier maintenance and ensuring that it is consistent across different parts of the application.

- Admin must enable the API (API is disabled by default). - Attacker requires an account to upload a malicious PHP file. - Authentication is not required to access the temporary file directory.