This issue allows unauthenticated users to gain administrative access to a WordPress installation through arbitrary changes to .php files. It is due to a combination of improper filtering of user input and CSRF protection mechanisms.

The issue was discovered in the release cycle of WordPress 5.2 and fixed in this release. Further, the fix was backported to WordPress 4.9.10. Any version lower than 5.2 or 4.9.10 is considered vulnerable.

While the vulnerability was demonstrated through comment fields, it is not guaranteed that other means of exploiting the same issue could yield the same effect. As such, disabling comments for vulnerable versions is a good hardening measure but cannot be regarded as a complete mitigation without definite proof.

Nevertheless it is generally recommended to upgrade to the latest major WordPress version since older versions are not guaranteed to receive security updates.