The PASS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SqL-Injection bypass Authentication, XSS-Stored and PHPSESSID Hijacking. The vulnerable app: to remote SqL - injection bypass Authentication is "login.php", with parameters: "username" and "password". After the successful PWNED of the credentials for the admin account, the malicious user can be storing an XSS payload, whit who can take the active PHPSESSID every time when he wants to log in to the system with an admin account by using this exploit.