According to the WordPress release notes: “Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.”
Thanks to @irsdl’s Hacker1 disclosure: JS - Numerical Entities JS - Hex Entities