Uh what? If a site lets users upload photos and puts their uploaded content into a preg function without validation, they are indeed vulnerable. However, just loading the exif data is not enough to trigger this.
Putting untrusted input into a regular expression pattern is something you shouldn't do in the first place (even without the /e modifier)
Putting untrusted input into a regular expression pattern is something you shouldn't do in the first place (even without the /e modifier)