Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

WordPress File Delete to Code Execution
New on LowEndTalk? Please Register and read our Community Rules.

WordPress File Delete to Code Execution


Lately i have been working hard to migrate our clients from vestacp which got hacked twice to virtualmin, its port was already temporary blocked until further notice and i have finally decided to give our clients some old virutalmin instead and while doing so i have found this

Lucky, you must have an account to execute this vuln else it would have been a disaster to every live WordPress.

Temp fix in your theme functions.php place this hook.

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );


function rips_unlink_tempfix( $data ) {
if( isset($data['thumb']) ) {
$data['thumb'] = basename($data['thumb']);


return $data;

Thanked by 1ariq01


  • Yup, IIRC from a post, they knew about this since long time but haven't released a patch yet.

    Thanked by 1mohamed
  • update your WordPress guys, the issue has been fixed.

    WordPress versions 4.9.6 and earlier are affected by a file deletion issue where a user with the capability to edit and delete media files could potentially manipulate media metadata to attempt to delete files outside the uploads directory.

Sign In or Register to comment.