Last week The Hacker News received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server.
Discovered by researchers at RIPS Technologies GmbH, the “authenticated arbitrary file deletion” vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6.