Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5
github.com/WordPress/WordPress/commit/10e2a50c523cf0b9785555a688d7d36a40fbeccf
wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/