In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.