Translations:Manual:Image authorization/118/en

If the attacker can exploit the broken script to upload or generate another script intented to help him with further attacks/spamming etc, the attacker still needs a place to store that script in, writable by the web server ... and has it available and well known in the 'images' directory of MW standard installations.