A important vulnerability into functions.php will allow a malicious user to insert a remote file. The Vulnerable Code: include_once( $phpbb_root_path . './includes/functions_categories_hierarchy.' . $phpEx ); (The phpbb_root_path isn't initialize and PHPBB_IN isn't checked)