Recently RIPS revealed that Wordpress up to 4.9.6 still has an arbitrary file deletion vulnerability. Wordpress sites with author and similar permissions are threatened by this vulnerability. An attacker can cause arbitrary file deletion by constructing the 'thumb' path of an attachment.Serious consequences will lead to the attacker obtaining the site administrator's permission to control the server.
Repair method: (post.php is the repaired)
zero
one
two
three
four
diffpost.php.two thousand and eighteen-07-twenty-threepost.php