The WordPress team fixed a software flaw introduced in the 5.1 release that could allow potential attackers to perform stored cross-site scripting (XSS) attacks with the help of maliciously crafted comments on WordPress websites with the comments module enabled. WordPress is used by over 33% of all websites on the internet, according to its own download page. The vulnerability would make it possible for bad actors to take over websites using a CSRF vulnerability by luring a logged on administrator into visiting a malicious website containing an XSS payload.
Source: https://www.bleepingcomputer.com/news/security/wordpress-511-fixes-xss-vulnerability-leading-to-website-takeovers/