News Courtesy of WordPress.org:

The nice thing about these security updates is that they should be automatic unless explicity configured not to update. This certainly comes in handy when you manage dozens or even hundreds of WordPress websites for clients. Not having to manually update each site lessens the time (and risk) for a patched exploit to be abused on older installations. If you generally use the same admin email across all of your websites, you should get a notification about a successful automatic upgrade for those sites. It’s a welcomed reassurance that your sites are safe from a potentially dangerous vulnerability.

This particular vulnerability allowed certain users (those with permissions to edit and delete media library files) to delete WordPress installation files. Aside from completely screwing up a site, an attacker could create their own wp-config file and connect it to a database on a server of their choosing. For the purpose of either directing spam content or to possibly fool visitors into thinking that the site is still under normal operation. These attackers could collect information on visitors, in some cases sensitive data including credit cards and such.

Thankfully, this flaw DOES require access to a WordPress user role for a target website. Most WordPress websites only create accounts for trusted colleagues and individuals. The likelihood that a person would betray their employers or friends, I assume, would be very slim. Therefore, I wouldn’t classify this exploit as critical. The last widespread critical exploit I can recall was the Revolution Slider URL manipulation hack back in 2014. In that case, attackers could get access to wp-config and use the information contained to take over the MySQL database of the website. As severe as this was, you couldn’t fault the WordPress team as it was a popular plugin that caused this problem.