An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.