News Courtesy of bleepingcomputer.com:
Security researchers from RIPS disclosed today details about an unpatched security flaw impacting WordPress, the Internet’s most popular content management system (CMS).
RIPS researchers say they have told the WordPress team about this particular vulnerability in November last year, but the WordPress devs have failed to release a patch.
The vulnerability affects the core of the WordPress CMS, and not one of its plugins or themes. More precisely, the bug was found in the PHP functions that deletes thumbnails for images uploaded on a WordPress site.
They can hijack sites because the vulnerability allows attackers to delete wp-config.php, which is a site’s config file. Attackers who delete this file can re-initiate the installation process and install the site using their own database settings, effectively hijacking the site to deliver custom or malicious content.
Ryan’s Take 
If it weren’t for the fact that “Author” privileges are needed for this attack, this bug would be huge. Usually, the WordPress team are very quick to correct flaws that have been pointed out to them. It’s hard to believe that this particular flaw has not been fixed since it was first discovered in November.
I don’t think any reputable WordPress site would allow a user to register right off the bat as an Author. As the source article mentions, if they can somehow elevate their account status then it would open the door for a website takeover. In my opinion, unless you are running some kind of forum website you should disable new registrations completely. It’s also a good idea to have a security plugin installed on your site. I highly suggest All In One WP Security & Firewall. It offers a lot of different protections against attacks.
