The vulnerability stems from incomplete file extension validation in three key file upload handlers. All three modified functions used an insufficient list of PHP-related extensions (php, php3-5, phtml) in their in_array() checks, missing php7, php8, and phar. The patch explicitly adds these extensions, confirming these validation closures were the vulnerable points. These functions handle file upload validation for both front-end forms and control panel assets, making them direct vectors for bypassing security controls.