Some websites may provide file viewing or download functionality because of business needs. If you do not limit user from viewing or downloading files, a malicious user may attempt to view or download any file from your server.
Attackers may construct malicious requests to download sensitive files from the server, and further embed website webshell files to control the website server host.
Update the CMS or plug-in you are using to the latest version.
Delete the file with the vulnerability if it is no longer being used.
Note: Make a backup before deleting the file.