It’s possible to execute arbitrary commands using login form because exec() function is used without using escapeshellarg() or escapeshellcmd().
So we can create string which looks like this: wto -n "a" || other_command || "" -g which means that wto and other_command will be executed.
There’re few more places with not escaped parameters $_GET["vv_sharename"]:
Not escaped param $_POST['oldName']:
Not escaped param $_COOKIE['username']:
Inside lib/login_checker.php there is login_check() function which is used to check if user is logged, but it’s possible to bypass this function because it simply check if $_COOKIE['username'] and $_COOKIE['isAdmin'] exist.