SQL injection via username in Profile.php. PHP injection in News.php, install.php.
vulners.com/securityvulns/securityvulns:doc:4502
vulners.com/securityvulns/securityvulns:doc:4548
vulners.com/securityvulns/securityvulns:doc:4552