This can lead to code execution if the wp-config.php file is deleted, forcing WordPress to start the installation process. Can be exploited by any user who is able to edit uploaded media.
blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/