XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.CreditsUwUReferenceshttps://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin
