If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the "install_4.php" script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.
806d396b8f8393708196c84967f4c3db14adf4f64c443cf3f37029101e6385f9