Heute Nacht ist ein neues Update für WordPress 5 und ältere Versionen erschienen:

(…) With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting. (…) WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to 5.1.

Wie immer bei Security-Gedöns: Aktualisieren, los, jetzt.