Path traversal / LFI may lead to RCE

[abrookbanks]

In the admin panel, parameters such as _g and node are used to construct the path to include .inc.php files and execute PHP code. A malicious user with the ability to upload .inc.php files anywhere on the server can exploit a path traversal vulnerability to include them and execute malicious code.

Risk: Low

[abrookbanks]

Many thanks Julio Araujo.