A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case. References: http://seclists.org/oss-sec/2016/q3/341 External References: https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
Created wordpress tracking bugs for this issue: Affects: fedora-all [bug 1369120] Affects: epel-all [bug 1369121]
wordpress-4.6-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.