Arbitrary file write vulnerability in beescms v.4.0, allows a remote malicious user to execute arbitrary code via a file path that was not isolated and the suffix was not verified in admin_template.php.