1 year ago Ripstech reported a way anyone who has the ability to edit and delete media files could exploit WordPress. By default Authors and higher have this ability, however some plugins also grant users this ability.
This was reported in January of 2018 and blogged about in June of 2018, since there had been no fix. The blog post was a complete guide for anyone who would want to hack WordPress. We found this exploit in all old versions of WordPress we reviewed. On December 12th, 2018 WordPress 5.0.1 was released fixing this issue. Was this a hard, painful fix with tons of code? No. It was adding essentially one word to one line of code, yet WordPress waited nearly a year to fix this issue.