Indeed this is one of the most verbose and rambling exploit descriptions I've seen... apparently you can inject some script/HTML code into a field in your profile, but I don't see how that could lead to this:

but can also remotly execute arbitrary codes to access local web-server files or configs