I'm using PS 1.6 and while there are no vendor or phpunit folders I do see a phpunit file and a phpunit.xml file in the advancedeucompliance module.
The phpunit file contains this:
#!/usr/bin/env sh
main_test_path=../../../tests
${main_test_path}/vendor/bin/phpunit -c .
which includes the "vendor" folder in the path but there's no vendor folder anywhere on the site.
The phpunit.xml file contains this:
<phpunit bootstrap="bootstrap.php">
<testsuites>
<testsuite name="Unit">
<directory>Unit</directory>
</testsuite>
<testsuite name="Integration">
<directory>Integration</directory>
</testsuite>
</testsuites>
</phpunit>
I'm assuming these phpunit files are not part of the vulnerability?