Users tab attributes aren't sanitized and some of them allow for code injection. This means that an authenticated user with access to Users tab can execute arbitrary code on the web server with application privileges.
Adding user with PHP code in "Displayed name" field:
Users tab attributes aren't sanitized and some of them allow for code injection. This means that an authenticated user with access to Users tab can execute arbitrary code on the web server with application privileges.
Adding user with PHP code in "Displayed name" field:
PHP being executed: