Inject an XSS payload in the title by going to Settings » WP Attachments » Settings » List Head.
Now, inject XSS payload & HTML injection (<h2> myavatar<script>alert(2)</script>) in the uploaded image Title in Media Library.
Now, after opening the Post page, the browser renders the XSS payload of the attachment title and image title.
The HTML injection rendered as <h2> can be seen in source code. WordPress doesn’t execute the payload of the image name in the media, it only gets executed by the wp-attachment in the post.