WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

Source