HEX
Server: Apache
System: Linux webd004.cluster130.gra.hosting.ovh.net 5.15.206-ovh-vps-grsec-zfs-classid #1 SMP Fri May 15 02:41:25 UTC 2026 x86_64
User: frenchy (106757)
PHP: 7.4.33
Disabled: _dyuweyrj4,_dyuweyrj4r,dl
$ pwd: /home/frenchy/www/_trash/wp-content/plugins/secupress/inc/functions/
Upload Files
File: /home/frenchy/www/_trash/wp-content/plugins/secupress/inc/functions/hotfixes.php
<?php
defined( 'ABSPATH' ) or die( 'Something went wrong.' );

add_filter( 'wp_update_attachment_metadata', 'secupress_fix_wp_496_1' );
/**
 * Fix the vulnerability discovered on thumb meta data on june 2018, not patched in WP core
 *
 * @param (array) $data Meta data from a media.
 * @return (array) $data Meta data from a media.
 * @author Julio Potier
 * @since 1.4.5.1
 * @source https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
 **/
function secupress_fix_wp_496_1( $data ) {
	if ( isset( $data['thumb'] ) ) {
		$data['thumb'] = basename( $data['thumb'] );
	}

	return $data;
}
@ Telegram