Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf
pentest.co.uk/labs/research/subtle-stored-xss-wordpress-core/
wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/