This vulnerability was responsibly reported* by the researchers 7 months ago to the WordPress team. This vulnerability remains unpatched, 7 months later.
* "Responsible reporting" is when a security vulnerability is discovered, and rather than going public with it immediately, it is reported to the software Developer(s) so they have a chance to fix it and release a patch.
When a fix isn't done in a reasonable amount of time the researcher often goes public with the security issue, to both warn the public and put pressure on the software Developer(s) to fix it already.
From The Hacker News: "Last week we received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server.
Discovered by researchers at RIPS Technologies GmbH, the "authenticated arbitrary file deletion" vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6.
The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image."
If you subscribe to our WordPress Update Management service you're being contacted for permission to install the hotfix for this issue.