Admin can enter JavaScript – potential security risk?

The answer is in your question.

I try this when login as admin and editor.

The roles have the unfiltered_html capability that allows them to put whatever HTML they choose, including <script> tags, where ever they choose.

Is is a security risk? Only if you give folks you don’t trust admin and/or editor roles. Or someone gains access to your an admin/editor account. Or there’s another security hole somewhere in the core that allows privilege escalation from a lower to higher user level (unlikely).

By itself, it’s not a security risk. Admin and editors need to be able to do things to actually manage the site.

Related Posts:

  1. comment_post_ID 0 (cannot remove from dashboard)
  2. Enable Submit Comment Without Page Reload (Using Ajax)?
  3. Comment Reply javascript
  4. Why do I get accidental comments without (the required) email address?
  5. Comment form validation
  6. How to Block Access to Standard Login Flow and Comment Flow
  7. Strategies for coping with hyperagressive spambots?
  8. Sanitizing comments or escaping comment_text()
  9. wp_insert_comment and security
  10. Is WordPress vulnerable to “comment posting forgery”?
  11. Display the number of unseen comments on a page since the user last visit
  12. Using defer or async JavaScript attributes prevents pingbacks and trackbacks from being sent
  13. reCaptcha doesnt appear in comment (manual or plugin)
  14. WordPress scruity issue – Totally disable all comments by CSS — secure enough?
  15. How are readers authenticated for leaving comments?
  16. Remove Javascript generated by Comments
  17. Comment form in wordpress theme returns a javascript alert
  18. WordPress Commenting System User access and Security
  19. js solution to… Commentor can only post one comment BUT can reply to their comment tree unlimited [duplicate]
  20. Comments – Ensure the correct field is highlighted for nested replies
  21. Is it possible to pull comments from facebook into your blog?
  22. How to deal with small scale comment spam on small commercial sites? [closed]
  23. Add placeholder attribute to comment form fields
  24. human_time_diff() returns “48 years ago” for all comments
  25. Allow anonymous comments, but prevent spam [closed]
  26. Where to remove from comment’s feed?
  27. Why are default comments deprecated?
  28. Comments Reply Form
  29. Delete all user comments
  30. Why do I get email notifications about comments that WordPress has already determined are spam?
  31. “Leave a comment” link even when you can’t
  32. How to check if commenter is the_author?
  33. How to save new comment as custom comment type?
  34. How to remove the “on” string before recent comments link?
  35. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  36. WordPress unresponsive after calling wp_update_comment()
  37. edit comments capability for authors
  38. Publish a message on facebook after having posted a comment
  39. How can I edit the Twenty Ten Theme to remove the comments box when a page uses a specific template?
  40. Highlight Author Comments issues
  41. Nonces, AJAX, script variables & security in WordPress
  42. Users with custom roles can’t read each other’s comments
  43. How can I fix wp_insert_comment failure when ‘comment_content” includes slanted apostrophe in Excel csv source data
  44. Author can only see own post comment and can moderate
  45. highlight “starred” comments by admin
  46. How can I edit comment notification email content?
  47. Filter In Reply comments from WordPress Admin Panel
  48. How can I hide the IP of registered commentators?
  49. How to configure WordPress + plugins to support these commenting features
  50. Comments vs. Pingbacks next page issue
  51. How to automatically evaluate comment content without user seeing the delay?
  52. Comments invisible after moving WordPress to new server, while commenting still works
  53. Allow the comment author to delete their own comments
  54. css hide all the comment reply links except the lowest nested comments
  55. Spammers attacking my WordPress Site – Removing URL field from core? [closed]
  56. Prioritizing the wordpress comments
  57. Comments from vbulletin topic [closed]
  58. wp.getComments is returning nill, when i called from my iphone app [closed]
  59. How to override wp_insert_comment()
  60. Can I have Comments open to specific users only?
  61. How to edit the text below “Leave a Reply”
  62. Commenting system for WordPress
  63. Commentlist: bypostauthor problem with children list
  64. Comments does not work?
  65. How do I disable the discussion notification emails to us when a comment is “approved” and when an adiministrator replies?
  66. Review count per product
  67. Moving post’s content to post’s comments section
  68. comment_notes_before not working
  69. why can’t I retrieve the comment ID?
  70. get_comment_link without pagination base in the returned URL?
  71. Comments on future posts
  72. Copy and Paste Password for Comments
  73. Returning error upon comment being flagged as spam
  74. is it possible to have the full code instead in the comments.php page
  75. How do i remove approved spam comments by date?
  76. How to Trigger comment_form_after action if comment_form() not used
  77. Insert ads between comments
  78. get_query_var(‘paged’) for WP_Comment_Query always return 1 when using paginate_comments_links()
  79. How to only show current user’s comments and comments on current user’s posts in wp admin
  80. How to make author comment name to “Editorial Staff” no matter which ever author is replying to comments from his/her account?
  81. Changing the Comment Fields using Filter (without success)
  82. How to show username in reply to comment?
  83. Comments pagination: reverse JUST the links texts (1-2-3 to 3-2-1), not comments order
  84. Display date and time into post edit comments section
  85. Disallowed Tag Present in AMP WordPress ()
  86. Subcriber getting multiiple notifications for new comments
  87. Comments/Discussion Not enabled on newly created posts/pages
  88. Fire Social Annex Code on Comment Approval
  89. How can I enable commenting from mobile view?
  90. Let user delete comment on front end only
  91. How to force users to nest their comments
  92. jQuery to Create Button to Show/Hide WordPress Comments and to Hide Comments by Default
  93. Comment form – different title if no comment yet
  94. WordPress Comments jQuery Doesn’t submit
  95. Insert comment and still use moderation
  96. Loop not displaying comments_popup_link
  97. Display of comment_date within get_comments?
  98. How to batch convert comments to posts?
  99. I need help about wordpress of members section
  100. Add ACF Quick Edit Columns on Comments