We'll dig deeper into the root cause of this vulnerability. Look at the following screenshot of the wp-admin/post.php file. Here, unsanitized input is taken from the user and stored in $newmeta:
In the wp-includes/post.php file, the same input is passed to wp_update_attachment_metadata() to be stored in the database as a serialized value, meta_key:
When a user clicks on the delete media button, the following code asks for the input from the database and stores it in $thumbfile. Then, an unlink function is called to remove the specified file. The thumb link metadata gets deleted because it contains a path to wp-config:
Next, we will exploit the vulnerability using Metasploit.