dweeves/magmi is vulnerable to cross-site request forgery (CSRF). Lack of proper CSRF protection and no CSRF token in place to check legitimate request allows an attacker to use an existing admin session to subsequently cause a remote code execution via phpcil command.