WordPress is vulnerable to cross-site scripting (XSS). The vulnerability exists due to the failure to sanitize the name of the theme folder in /wp-admin
on the themes page when the admin uploads the theme.
github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
lists.debian.org/debian-lts-announce/2020/07/msg00000.html
lists.debian.org/debian-lts-announce/2020/09/msg00011.html
lists.fedoraproject.org/archives/list/[email protected]/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
lists.fedoraproject.org/archives/list/[email protected]/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
www.debian.org/security/2020/dsa-4709