An issue in hisiphp v2.0.111 allows a remote malicious user to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component.