WordPress 4.5.2 and previous versions are prone to a cross-site scripting vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php. It allows an attacker to inject arbitrary web script or HTML via a crafted attachment name.
Related: http://db.threatpress.com/sysadmin/vulnerabilities/834/
Update WordPress.