I found a RCE in the AION client starting from 3.0 (not confirmed the latest version vulnerable) using the built-in housing system.
Private servers are still vulnerable.
In the initial version of this post I wrote that the housing system was removed in 5.0 but some players made me notice that this is wrong indeed the housing system is still there in the retail version of AION (still maintained) but not present in the classic version of the game. This is interesting because apparently we have a bigger playground to investigate, maybe in a follow-up.
When I was younger, MMOs were everywhere. World of Warcraft had already taken over the world with millions of players, Lineage II and Runescape had their own massive communities, and when AION launched in 2009 by NCSoft (a South Korean Company) it quickly became one of the most populated MMOs, with around 6 million players in Asia and 1 million in Europe.