A code injection vulnerability in hisiphp 2.0.11
In https://github.com/hisiphp/hisiphp/blob/d05c908c29d574b84aa9e8932b13a5ef54e0a429/application/system/admin/Plugins.php#L129, $data
is controlled by users.
$model = new PluginsModel();
$data = $this->request->post();
$result = $this->validate($data, 'app\system\validate\SystemPlugins');
if ($result !== true) {
return $this->error($result);