Beware of your Payment settings, particularly your PayPal setting in the PP payment system.
I have been checking mine for a couple months now since someone was able to replace my email address with theirs. When that happens, that person gets paid, and not you. It only happened once, but another one appeared today, tho he was not able to get the server to process the file named 'image.php.jpg' thanks to the update by Viart for the user upload script.