An issue exists in taocms 3.0.2. in the website settings that allows arbitrary php code to be injected by modifying config.php.
taogogo taocms 3.0.2