CVE-2018-5776 (https://nvd.nist.gov/vuln/detail/CVE-2018-5776): WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa224e1e0e8eac0f4b180d0a5a937e29c9387c0d