Any registered user can upload any file.
Proof of Concept:
Login as regular user (created using wp-login.php?action=register):
File will be visible:
- 29-10-2014: Discovered
- 16-11-2014: Vendor notified
- 17-11-2014: Version 3.0.9 released, issue resolved