The RCE part was fixed in WordPress 5.0.1 but the path traversal is still a problem.
So the problem is that for the WordPress core, the way to exploit the path traversal was taken away (but not the path traversal itself). The author still states that some plugins or themes may still use this method incorrectly, leading to a path traversal. The Ripstech blog post simplifies it, but I can see[1] that the get_attached_file() in wp-includes/post.php still has the same code. It just adds the upload directory on instead of sanitizing it. 1: https://core.trac.wordpress.org/browser/trunk/src/wp-includes/post.php#L452
