I uploaded any file in the "manage Files" section, where I uploaded "webshell.zip".

Find the unzipped file in the upload folder

The content in the 2.php file is "<? php phpinfo ();? >"

url: 192.168.1.128/pluck4.7.16dev1/data/modules/webshell/2.php

I believe this is in the install modules section and not in the manage files section.

A module is to add functionality to the website, and needs a password to do. When you have the password, you can upload anything, and than utilise this uploaded content. this is impossible to fix, since this is the option to add functionality. for instance the inplace updater is an module which downloads and extracts files, an other module might do the same, so why restrict this, and restrict it to what.

Since the password is needed to exploit this, and with the password lost everything is up for grabs we won't fix this.