The remote file inclusion bug was fixed the day after we were alerted - we were not even informed about the sql injection one :sigh: