In index.php in WonderCMS before 2.4.1, remote attackers can delete arbitrary files via directory traversal.