(but probably not yours…)
Researchers have created a proof-of-concept exploit that would enable bad actors to target a severe vulnerability in the PHP programming language behind several major CMS companies, including WordPress. The vulnerability remains unresolved – more than a year after it was reported.
[Editor note: “Proof of concept” means that they’ve figured out how to do this in a security research lab. As far as we know this exploit has NOT been found “in the wild”. So between that and the required privileges described below, you’re probably safe.]
The researchers at Secarma who uncovered the exploit said it enables bad actors to potentially open up thousands of WordPress sites (and other web applications) to remote code-execution.
“For WordPress, an attacker would need privileges to upload and modify media items to gain sufficient control of the parameter, researchers said.”
Full article: https://threatpost.com/severe-php-exploit-threatens-wordpress-sites-with-remote-code-execution/136649/