The WordPress CMS is vulnerable to an arbitrary file deletion vulnerability that can lead to attackers executing arbitrary code, allowing them to delete and manipulate files on the server, potentially causing desastrous consequences if no current backup is available. The vulnerability was reported 7 months ago to the WordPress security team but remains unpatched, affecting approximately 30% of all websites using WordPress. An attacker would need to gain privileges to edit and delete media files to exploit this vulnerability, which can be used to escalate privileges and execute arbitrary code on the server. A temporary hotfix has been provided to prevent attacks until a permanent patch is released.