Onto the fun stuff, I found that it supported Exif and decided to test out an idea. What I found was that the User avatar uploaded allowed .jpg and .png, and did very basic check for malformed files or php disguised as an image file. Using an old and known trick, which involved manual tampering the upload post I was able to upload a php file through Exif data. This page and this page, showed me how to take advantage of the exif support. I achieved arbitrary file upload and RCE but I decided to dig further into the website. Later I discovered Image Tragick also affected the website much to my dismay.
During my reconnaissance for subdomains that might be hosting staging, defunct or unclaimed apps, beta environments, testing pages, etc using sublist3r. I found a subdomain named videos.website.com and it was running the same CMS albeit lack of user submitted content and seemed more like testing subdomain, though I was planning to looking for any form of SQL injection due to the existence of mysql db being needed for the cms to work. From the documentation the search bar used the Database to search for videos, and I checked using Time based commands such as 'sleep(), etc but came up with nothing then checked for XSS but much to my surprise I managed to get an SQL error using videos.website.com/search/'*/
Through the help of a fellow security researcher who didn't want to be named I was able to craft a payload that demonstrated capability to load the etc/passwd file, and yes it's totally possible to achieve RCE through sqli. This made two RCE vulnerabilities on one website, both were reported quickly. Most people would stop here but seeing how the site was handled and setup, it wouldn't be a surprised there were other vulnerabilities lurking around, and I did eventually find more.