An issue discovered in phpwcms 1.9.25 allows remote malicious users to run arbitrary code via DB user field during installation.
phpwcms phpwcms