Luckly this is only appliable if the person has admin access however there is a security vulnerability with XOOPS 2.5.0a where the target variable can be injected to change routes around in the file target and place files around the place like PHP files or scripts.

it's not the fact you can simply do imagemanager.php?target=/../../../../../../

but the use of $_REQUEST['target'] is totally insecure. $_REQUEST[] can be overidden with a specially crafted cookie and it overwrites any $_GET or $_POST.

Report: http://www.allinfosec.com/2011/04/23/webapps-0day-xoops-2-5-0-imagemanager-php-lfi-vulnerability-7/