Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code via vectors involving a browser plugin.