The uploadID.php in the Simple Employee Records System v 1.0 can be used to upload php files to the server. Those files will be uploaded to ‘/uploads/employees_ids/’ without any authentication. With the unrestricted file upload the attacker can gain RCE.