High school. The teacher in IT made some learning platform for the school in PHP. There was a module where you could upload files.

You could just upload a PHP file, and get it to run by accessing it through a direct link.

Ohhhhh... Remind me again, what high school were you in?

@Aitkotw lol no, maybe the dude's on here 🤔

Well that is really bad. You have full control over the server.

The worst security breach I experienced in my career had to do with basically the same issue. It was luckily not my fault but it's hard to blame the sysadmin too.

There where rules to prevent php execution in the web writable dir in the webserver config. Unfortunately another statement that did not look it undid the protection. The CMS had a security issue that allowed for php files to be uploaded in the first place.
Disaster but not because of stupidity.