Add note for wordpress status on CVE-2018-5776

Tracking would have been actually enought to track 4.1+dfsg-1 as fixing
version since that version removed the two problematic files, and those
were never agin introduced (they are *not* present in 4.9.1+dfsg-1 for
example, but upstream 4.9.2 then removed the whole problematic
mediaelement part).