In a shared hosting environment that has been misconfigured to allow access
to other users’ content, a Moodle user with both access to restore database
activity modules and direct access to the web server outside of the Moodle
webroot could execute a local file include.