WordPress before 5.2.3 allows XSS in shortcode previews. Reference: https://wpvulndb.com/vulnerabilities/9864
Created wordpress tracking bugs for this issue: Affects: epel-6 [bug 1776433] Affects: epel-7 [bug 1776434]
Fixed in 5.2.4