WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. Reference: https://core.trac.wordpress.org/changeset/45936
Created wordpress tracking bugs for this issue: Affects: epel-6 [bug 1776425] Affects: epel-7 [bug 1776426]
Fixed in 5.2.4