Thanks Mick. The release that went out this evening fixes this issue - that's version 5.2.3 - along with a few other nice improvements like a newer country database.
For someone to exploit this they'd have to hit your site with something that lets them generate a fake referrer. Then get you (while logged in as admin) to go to Wordfence, open live traffic, look at their referrer along with all the others you're seeing and click it. Alternatively they need to get you to look at live traffic and then click their IP address to see all traffic from their IP - that's another way to get their XSS to execute.
The fix has been released in version 5.2.3 and if you have auto-update installed you'll be auto upgraded within 24 hours.
The fix will apply to traffic that has already been logged along with new traffic.
Regards,
Mark.