The latest version of BigTree CMS, 4.4.6, has been found to contain multiple vulnerabilities, including a SQL Injection vulnerability and a Phar Deserialization vulnerability that can lead to Remote Code Execution. An attacker can exploit these vulnerabilities by chaining SQL Injection and Cross-Site Scripting (XSS) attacks, allowing them to smuggle sensitive data out of the web application and potentially execute arbitrary code on the server. Additionally, a Phar Deserialization vulnerability exists due to a custom curl wrapper function that allows uploading files from the file system, which can be exploited by stealing a CSRF token or using a specially crafted URL to inject malicious PHP code. The vulnerabilities were discovered through automated security testing and highlight the importance of investing time in developing centralized security modules and implementing automated security testing to detect vulnerable leftovers of legacy code.