The wordpress plugins installer creates files insecurely in /tmp

root@debian:/tmp# ls -l attachment-importer.tmp 
-rw-r--r-- 1 www-data www-data 7015 Feb 16 08:26 attachment-importer.tmp

The filename is predictable plugin name that is being downloaded.