I am aware that the problem is not visible at a glance and I purposely did not want to share the exact exploit instructions (I shared a working exploit with the hestia team).
Unfortunately, many people don’t know that a web user doesn’t need to have any rights to their PHP socket, only the user running the web server needs those. If this rule is not applied, vulnerabilities arise.
Using PHP-FPM is definitely good. It just needs to be set up correctly - for example never use TCP sockets on single server setup.
The unix socket permissions you show are part of another vulnerability that allows the user to change their php settings, allowing them to, for example, enable otherwise disabled system functions and thus use the server for crypto mining or implant code in RAM to reinfect the site.