WordPress version 4.5.2 is prone to a cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php. It allows an attacker to inject arbitrary web script or HTML via a crafted attachment name.
Related: http://db.threatpress.com/sysadmin/vulnerabilities/835/
Update WordPress.