There is also a Denial of Service (DoS) attack through this vulnerability called billion laughs. You can read more about it on wikipedia: https://en.wikipedia.org/wiki/Billion_laughs.

There is a different wrapper (such as file:// or http://) for XML entities supported by PHP, which, if enabled in the server, could allow command execution without the need to upload a file. It is expect ://. You can find more information on this and other wrappers at http://www.php.net/manual/en/wrappers.php.