According to the WordPress release notes:
"Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks."
Thanks to @irsdl's Hacker1 disclosure:
Soroush Dalili (@irsdl) - NCC Group
2019-09-05 (about 3 years ago)
2020-09-22 (about 2 years ago)