This module allows the user to run commands on the server with teacher user privilege. The 'Upload files' section in the 'File Manager' field contains arbitrary file upload vulnerability. The '$IllegalExtensions' function has control weakness and shortcomings. It is possible to see illegal extensions within 'constants.inc.php'. (exe|asp|php|php3|php5|cgi|bat...) However, there is no case-sensitive control. Therefore, it is possible to bypass control with filenames such as '.phP', '.Php'. It can also be used in dangerous extensions such as 'shtml' and 'phtml'. The directory path for the 'content' folder is located at 'config.inc.php'. For the exploit to work, the 'define ('AT_CONTENT_DIR', 'address')' content folder must be located in the web home directory or the address must be known. This exploit creates a course with the teacher user and loads the malicious php file into server.