The vulnerability exists because EvalStdin.php accepts input from the HTTP request body (standard input) and executes it without authentication or authorization checks.
This script was originally intended to help run unit tests from the command line, but it was not secured against web-based access. How Attacks Happen index of vendor phpunit phpunit src util php evalstdinphp