Admin can enter JavaScript – potential security risk?

The answer is in your question.

I try this when login as admin and editor.

The roles have the unfiltered_html capability that allows them to put whatever HTML they choose, including <script> tags, where ever they choose.

Is is a security risk? Only if you give folks you don’t trust admin and/or editor roles. Or someone gains access to your an admin/editor account. Or there’s another security hole somewhere in the core that allows privilege escalation from a lower to higher user level (unlikely).

By itself, it’s not a security risk. Admin and editors need to be able to do things to actually manage the site.

Related Posts:

  1. comment_post_ID 0 (cannot remove from dashboard)
  2. Enable Submit Comment Without Page Reload (Using Ajax)?
  3. Comment Reply javascript
  4. Why do I get accidental comments without (the required) email address?
  5. Comment form validation
  6. How to Block Access to Standard Login Flow and Comment Flow
  7. Strategies for coping with hyperagressive spambots?
  8. Sanitizing comments or escaping comment_text()
  9. wp_insert_comment and security
  10. Is WordPress vulnerable to “comment posting forgery”?
  11. Display the number of unseen comments on a page since the user last visit
  12. Using defer or async JavaScript attributes prevents pingbacks and trackbacks from being sent
  13. reCaptcha doesnt appear in comment (manual or plugin)
  14. WordPress scruity issue – Totally disable all comments by CSS — secure enough?
  15. How are readers authenticated for leaving comments?
  16. Remove Javascript generated by Comments
  17. Comment form in wordpress theme returns a javascript alert
  18. WordPress Commenting System User access and Security
  19. js solution to… Commentor can only post one comment BUT can reply to their comment tree unlimited [duplicate]
  20. Comments – Ensure the correct field is highlighted for nested replies
  21. How do I comment out a block of tags in XML?
  22. SecurityError: Blocked a frame with origin from accessing a cross-origin frame
  23. R: Comment out block of code
  24. Why do I get comment spam even with Akismet and Captcha?
  25. What tools are available for managing/writing to WordPress? [closed]
  26. How to rearrange fields in comment_form()
  27. setting comments off as default for pages and custom post types?
  28. Is it possible to pull comments from facebook into your blog?
  29. Filtering the Admin Comments List to Show Only Comments from the Current User?
  30. Non-threaded comment replies with link to original comment
  31. Approve comment hook?
  32. Commenting in user profile page?
  33. How to change “You must be logged in to post a comment.”
  34. Disable comments on all posts/pages
  35. How do I delete all comments from a specific old blog post?
  36. Removing the “Website” Field from Comments and Replies?
  37. Stop WordPress redirecting comment-page-1 to the post page?
  38. Importing old Disqus comments into WordPress
  39. How to add a class to the comment submit button?
  40. How to wrap submit button of comment form with div
  41. How to enable comments for pending and draft posts?
  42. Using WordPress’ WYSIWYG for comments
  43. What for is the table “wp_commentmeta” exactly?
  44. Getting Post Comments for post ID using WP_Query() and a Custom Loop?
  45. Add option to disable comments on a per posts basis?
  46. Resetting comment count
  47. When importing – failed to import: Invalid post type feedback
  48. How to change the email notification recipient (user) for new comments?
  49. Redirect user to a custom url after submitting the comment
  50. Paginate result set from $wpdb->get_results()
  51. Change Comment Author Display Name
  52. Would switching to InnoDB from MyISAM improve performance of comments table?
  53. Custom comment type based on thread level
  54. How to add internal, revision comments to page updates
  55. How to load and show comments with AJAX instead of pagination?
  56. Linking to Page Showing Only Comments Without Parent Post
  57. How do we remove the H3 tag for the reply-title I.D
  58. Comments not appearing at all
  59. comments reply script not working
  60. How to display comment form error messages in the same page
  61. 3 moderators to approve comment
  62. How to deal with small scale comment spam on small commercial sites? [closed]
  63. What should I do to make generated avatars different for anonymous comments?
  64. A plugin where users can comment with Facebook or Twitter or OpenID [closed]
  65. Check If comment author is registered
  66. Comments screen in backend, how to disable email address of commenter for non admins
  67. Add comments from the admin panel?
  68. How can I limit the number of comments per registered user per day?
  69. One comment per user per post but be able to reply to existing comments
  70. How to use a custom comments template
  71. Comment visibility
  72. What’s the easiest way to close comments on media/attachments?
  73. Reverse comment pagination numbers
  74. Get comments for more than one post
  75. How can I add comments to a page?
  76. How to remove comment spam in WordPress
  77. Post Comments using WP REST API v2 in WordPress
  78. show number of open comments on custom dashboard
  79. Show content only if member left a comment
  80. Add placeholder attribute to comment form fields
  81. How is comment spam received without a comments form?
  82. Does a reply to a wordpress comment notify the author of the comment?
  83. What are the current recommended best-practices for comments.php?
  84. human_time_diff() returns “48 years ago” for all comments
  85. How do I set up real anonymous posting in bbpress forums? [closed]
  86. Comment Count for each Comment Author
  87. Link name in comments to Author page? Comment Author Meta in Comments?
  88. How do I turn off wordpress comments ability to capture a users ip address?
  89. Showing comments only to same custom user role
  90. Parent comment’s author name
  91. Success message in comment form
  92. get_comments_number of depth-1 (Level 1) (1 post)
  93. Show comments from multiple post IDs in comment template
  94. Running a function on comment status change
  95. How to allow the reply link to remain on the comment form after I have reached my 10 nested comment limit?
  96. How can I control the comment counts filtering my CPT replies?
  97. Hook to edit an column on comments screen?
  98. Allowing more elements in comments via functions.php
  99. Set post comments open function
  100. Comment Author Name In Reply Form
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)