RIPS Technologies (www. www.ripstech.com/) published an arbitrary file deletion vulnerability in the WordPress core on 26 June 2018. Any WordPress version including the current version is affected. After an attacker gains the privileges to edit and delete media files, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author. An attacker could exploit this vulnerability to completely take over the WordPress site and to execute arbitrary code on the server.
At the time of writing no patch preventing this vulnerability is available.
WordPress version <= v.4.9.6
An arbitrary file deletion vulnerability occurs when unsanitized user input is passed to a file deletion function. In PHP this happens when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which represents the path of the file to delete, without undergoing proper sanitization.
The code section which made this vulnerability possible in the WordPress Core is found in the wp-includes/post.php file.
WordPress has not released any patch to fix this vulnerability. Users are recommended to pay close attention on updates at https://wordpress.org/download/.
RIPS researchers provided a temporary fix that can be integrated into an existing WordPress installation by adding it to the functions.php file of the currently active theme/child-theme. For details, please visit https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/