"Unpatched WordPress vulnerability allows code execution for authors"

The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public.


Temporary Hotfix

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );
function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);

    return $data;

Expert opinions welcome? Does this affect Bedrock installs?

Alright… Since we’re multisite many of our users are untrusted but they still can can be admins of their own books (aka sites). We patched. Would appreciated feedback from others.