That is the problem... you have:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "false", $WA_UploadResult1_Params);
The "false" part is the setting to restrict the upload to images only. If you change that to:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "true", $WA_UploadResult1_Params);
That would likely fix the security hole. File upload for anything but images should only be done by admin, so not having that restriction on an upload file field is an inherent risk particularly if they know the name of the folder it is being uploaded to, which they could tell by viewing the source of a displayed image.
Change it to:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "true", $WA_UploadResult1_Params);