I found an LFI at the URL "/details.php?prod=1&type=1&lang=USD".
The "My Account" page is vulnerable to SQL injection. The email address must be a valid email address. It wouldn't accept email@example.com.
Back on the "My Account" page, I logged in with firstname.lastname@example.org and a password of "' or 1=1 -- ".
After multiple tests, I was able to exploit stored XSS on the site with "<a onmouseover=alert(document.cookie)>xxs link</a>". Any requests containing SCRIPT were filtered on the blog form. OWASP has an excellent cheat sheet on XSS filter evasion at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
I was able to use sqlmap to exploit SQL injection with any of the product pages, using URL "/details.php?prod=1" for example. This was a blind SQL injection vulnerability, meaning that my usual methods of manually pulling info from the database to be displayed on the page didn't work, so I let sqlmap do the heavy lifting as blind SQL injection can be very difficult to exploit.
I pasted the hash into crackstation.net and found the root password. Had it not been found on crackstation I would have run it through oclhashcat which uses the GPU to run through very large password lists in a few minutes.
This wasn't the most difficult web app that I've worked through. It did provide a couple of hours of fun on an afternoon off from work.