Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
https://www.maianscriptworld.co.uk/
https://github.com/DreyAnd/maian-cart-rce
https://dreyand.github.io/maian-cart-rce/
http://packetstormsecurity.com/files/164445/Maian-Cart-3.8-Remote-Code-Execution.html