PHP-Nuke contains a flaw that allows a remote attacker to read arbitrary files or execute arbitrary commands. The issue is due to the bbcode_ref.php not sanitizing input passed to the $user variable. By altering values for this variable, an attacker could execute SQL queries to change user settings and gain administrative privileges.
Upgrade to version 4.4.1 or higher, as it has been reported to fix this
vulnerability. An upgrade is required as there are no known workarounds.