You stated

PHP Remote File Inclusion

Thats your number 1 bet to allow a remote file upload = RFI where

i would show examples but unfortunately we can not even post 2 links on post

google RFI examples/ tutuorials

you also stated XSS if the XSS is a permenant XSS and not client side then you can setup a .js script onto a remote folder and inject the site with a xss that logs the account information