Launchpad.net

CVE 2018-20153

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

See the CVE page on Mitre.org for more details.