The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public.
Temporary Hotfix
add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );
function rips_unlink_tempfix( $data ) {
if( isset($data['thumb']) ) {
$data['thumb'] = basename($data['thumb']);
}
return $data;
}
Expert opinions welcome? Does this affect Bedrock installs?