Hackers want my money

Well, no they don’t want my money they want my friend’s money.
Last night, two 15yrl old kids from morocco contacted my friend to tell him that they could exploit his code to gain access to the site. They had somehow uploaded a .php file on there and were able to control anything they wanted.
They want money from him otherwise they’ll mess with the site. I guess that’s fine, they found the error afterall and it could have been much worse, but he doesn’t have money to spend on that and he called me to help him figure out where is problem is.
My experienced in PHP but that’s not gonna help me much. I’ve never been attracted to hacking websites so I don’t know much about the latest cool tricks. The only information they gave him is the word “remote”.
Could someone point me in the right direction? What’s a common security flaw that allows someone to gain control of a site like that?