Remote Code Execution (or Code Injection) is a type of vulnerability where an attacker is able to execute a malicious code as a consequence of a successful injection attack. RCE differs from command injections because an attacker is restricted by the limitations of the language used when executing the injected code, which means that an RCE can carry a higher threat level and cause a host of problems for site owners.
RCE generally occurs when an application evaluates code before its validated, meaning that it runs the code before its verified whether its safe to do so. Code injections can be incredibly harmful and damaging, but in some cases, the attacker may even possess the ability to escalate a code injection vulnerability to be more impactful. Through the execution of arbitrary operating system (OS) commands on the server using PHP an attacker will have gained enough access to your website to potentially cause irrevocable damage.