1 year ago Ripstech reported a way anyone who has the ability to edit and delete media files could exploit WordPress. By default Authors and higher have this ability, however some plugins also grant users this ability.
This was reported in January of 2018 and blogged about in June of 2018, since there had been no fix. The blog post was a complete guide for anyone who would want to hack WordPress. We found this exploit in all old versions of WordPress we reviewed. On December 12th, 2018 WordPress 5.0.1 was released fixing this issue. Was this a hard, painful fix with tons of code? No. It was adding essentially one word to one line of code, yet WordPress waited nearly a year to fix this issue.
While WordPress may have considered it not a severe vulnerability that could be exploited since by default it required author abilities, they forgot about WordPress plugins. WordPress plugins to make media sharing from users easy made this a severe issue.
While it is faster than the time WordPress took six years to fix an issue, it still is not a fast enough response time. It is worth mentioning that we review all code including the WordPress core and WordPress plugins. If you have any questions, feel free to buy our services, use our free plugin, or contact us by email.