, evildictait​or wrote

One of those is a root shell on your server.

trivially exploitable by a hacker determined to get root on my server.

I don't think so. Even if you have the ability to execute arbitrary PHP on a server, your scripts can only execute with the rights of PHP interpreter. And depending on the server PHP is running on (eg: RHEL), that might not be many rights at all.