On June 26 there was a report from RIPS Technologies who reported that any WordPress version, including the then current 4.9.6 version allows any logged-in user with an Author role or higher to delete files on the server. In a standard WordPress installation any user with a role of Author or higher has the ability to upload media attachments and edit their metadata, like images and their descriptions. By exploiting this arbitrary file deletion vulnerability, malicious actors can pivot and take control of affected sites.
Most critically, a site’s wp-config.php file can be deleted. With no wp-config.php in place, WordPress is forced to assume that a fresh installation is taking place. From this point, the attacker can configure their own WordPress installation with themselves as an administrator, which they can then use to upload and execute any other scripts they wish.
What Should You Do?
WordPress has already fixed this bug with their latest update. So go get the 4.9.7 version, if your site is not automatically upgraded. And don’t forget to check out your user list again. Just to see if there is any suspicious account. If so, you know what to do. Kick that guy out from your website!