diff -r d8a8807227e4 -r d255fe9cd479 wp/wp-includes/functions.php
--- a/wp/wp-includes/functions.php	Tue Oct 15 11:56:20 2019 +0200
+++ b/wp/wp-includes/functions.php	Tue Oct 15 15:48:13 2019 +0200
@@ -1787,6 +1787,11 @@
 		return @is_dir( $target );
 	}
 
+	// Do not allow path traversals.
+	if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+		return false;
+	}
+
 	// We need to find the permissions of the parent folder that exists and inherit that.
 	$target_parent = dirname( $target );
 	while ( '.' != $target_parent && ! is_dir( $target_parent ) && dirname( $target_parent ) !== $target_parent ) {