WordPress Vulnerability Discovered

If you are currently running WordPress 4.9.6 or older, which is currently all installations, a new critical vulnerability has been discovered. According to reports it allows “an attacker the capability to delete any file of the WordPress installation”. It seems there is some debate whether this is a big deal or not. If a hacker can gain access through another vulnerability such as an unpatched plugin they can create a user and elevate the user permissions. That user can then be used to delete the wp-config.php file which in turn would cause a reinstallation of WordPress. The hacker could then replace your site with whatever they wanted.

There is a temporary hotfix.

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);
    }

    return $data;
}

The above code can be placed at the bottom of your themes functions.php file.

You can find more information here and here.