Vulnerability threat to WordPress core

Top cyber security experts have talked of an impending vulnerability that could put WordPress in a fix and unless the renowned content management system releases a patch to counter it a serious consequences is in the offing. 
In a recent disclosure, the experts claimed to have got wind of the vulnerability in November last year forcing them to write to the WordPress authority and suggested a patch to negate the possibility of a mess in the system. 
But the things refused to progress. Those doing research on it claimed to have found out the bug in question in PHP where images uploaded on the WordPress site is deleted. 
Thus, the attackers could takes the rein of the content management system of the WordPress. 
According to what they say, the cyber criminals can attack the system deploying a malicious code in a WordPress owned site and as a result, the WordPress core containing crucial data and files would be deleted. 
Only the bug could be exploited by the users with the ability to get a post created with images. 
This is what the mechanism to minimise the impact of the vulnerability, say the researchers. 
In doing so, even if somebody attempts to attack registering an user account in a site, he or she could cash in on the vulnerability before hijacking a site.
Hijacking site is not impossible since vulnerability is there for the attackers who would delete the config file of a site. 
Usually, the attackers then would install the file and the site afresh. But this time they would use the database settings of their own. 
The researchers are, more or less, agree that the vulnerability in question would leave the WordPress CMS versions affected along with v4.9.6, the updated WordPress version. 
The WordPress team members are tightlipped on the issue even six months after they received the sets of suggestion to deploy a patch. But they never denied the authenticity of the findings. 
The vulnerability, it is said, has little chance to be exploited in a big way since there is no author level account on a WordPress-owned site. 
The team of researchers has released a hotfix, which indeed, is a PHP code for those who own sites to enable them to add it to the .php file to remain unharmed.