On December 22th, 2015, a bug bounty hunter called Juhhga reported another reflected XSS on Shopify. Let's check the request he made:

    Content-Disposition: form-data; 
    name="properties[Artwork file]" after: Content-Disposition:
           form-data; 
    name="properties[Artwork file<img src='test' 
          onmouseover='alert(2)'>]";

He found that the Artwork File was vulnerable to XSS, and inserted the JavaScript code there.

If you want to read the complete report, you can find the original post here: https://hackerone.com/reports/95089.