Security: Unauthenticated sqli, plus lfi allow Remote code execution then, privilege escalation on default installation

As said in the title I found different vulnerabilities in the code that could lead an unauthenticated attacker to take control of the server. For more details about the exploitation scenario you can contact me guilhemrioux@gmail.com