The vulnerability is a Remote Code Execution (RCE) in the WordPress core, which allows an attacker with author privileges to execute arbitrary PHP code on the underlying server. The vulnerability is due to a Path Traversal and Local File Inclusion issue in how WordPress handles Post Meta entries and uploaded images. An attacker can exploit this by updating the _wp_attached_file meta entry to contain malicious code, which will be executed when the image is edited or cropped. The vulnerability was discovered through automated scanning and manual testing, and it has been present in WordPress versions 4.9.9 and later, as well as in earlier versions that do not have a patch applied. The issue is still possible to exploit even with a patch applied, if plugins are installed that incorrectly handle Post Meta entries. The vulnerability was reported to the WordPress security team in October 2018, but it wasn't patched until December 2019, more than 6 months after its discovery.