Many phishing kits come with web app vulnerabilities that could expose the servers used for their deployment to new attacks. Phishing kits are packages of ready to deploy fake login pages targeting a wide range of online services, ranging from Gmail and Amazon to Microsoft. The kit developers use outdated components to build them, exposing and thus which could lead to attacks from other bad actors. The developers of the phishing kit developers have a background in application security, and chase bugs like these like these bugs for money and notoriety.
Source: https://www.bleepingcomputer.com/news/security/phishing-kits-add-more-vulnerabilities-to-hacked-servers/