WHY THE FUCK IS THE UPGRADE UNZIP DIR HARDCODED IN WORDPRESS TO A LOCATION IN THE WEBROOT????????? It should be /tmp.... I always knew wordpress devs were... special...

To prevent OS specific behaviour.

Or perhaps it needs to run trusted code from there. Do you want to run trusted code from /tmp?

@Demolishun yes... It's secure by design and not part of backups by default.. even often self cleaning and faster. Drupal uses an API call to resolve tmp dir. Correct approach: onfigurable override, default os location, webroot if all fails