Arbitrary File Deletion Flaw Present in WordPress Core

This recently discovered security hole requires that a malicious actor has access to an account with Author or higher abilities, so it probably won’t be a big concern for most of our clients. We expect an update of WordPress to correct this problem soon.

In the meantime, we suggest that you review the Users section of your site for any Author or Admin accounts which are no longer needed. You can either downgrade them to simple Subscriber level access or “No role” access. If you choose to delete an account which was used to post valuable information on your site, you can transfer ownership of those posts to an account you will retain.

More details at

Posted in Exploit.