Description
The deleteinstallfiles function in control/ContentController.php in SilverStripe 2.3.x before 2.3.7 does not require ADMIN permissions, which allows remote attackers to delete index.php and "disrupt mod_rewrite-less URL routing."
Remediation
References
Related Vulnerabilities
WordPress Plugin NextGEN Gallery-WordPress Gallery Arbitrary File Upload (2.1.10)
WordPress 5.4.x Multiple Vulnerabilities (5.4 - 5.4.14)
WordPress Plugin Fast Secure Contact Form 'index.php' Cross-Site Scripting (3.0.3.1)
WordPress Plugin Eventify-Simple Events 'npath' Parameter Remote File Include (1.7.g)