No sooner than I had patched WordPress 4.9.5 to fix the arbitrary unlink bug than I realised there is a WordPress 4.9.7 out there. This release (just out for Debian, if my Internet behaves) fixes the unlink bug found by RIPS Technologies. However, the WordPress developers used a different method to fix it.
There will be Debian backports for WordPress that use one of these methods. It will come down to do those older versions use hooks and how different the code is in post.php
You should update, and if you don’t like WordPress deleting or editing its own files, perhaps consider using AppArmor.