Authenticated users with the capability to upload files could upload files with specially crafted names containing utf8 characters to execute JavaScript when later viewed.
core.trac.wordpress.org/changeset/47638/
github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
hackerone.com/reports/179695
wordpress.org/news/2020/04/wordpress-5-4-1/
www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/