By default, the WordPress administrator and editor roles can add unfiltered HTML content in various places, such as post content. This includes the capability to add JavaScript code.

If an account with such a role gets hijacked, this capability can be used to plant malicious JavaScript code that gets executed whenever somebody visits the website.

Ask Yourself Whether

• You really need the possibility to add unfiltered HTML with editor or administrator roles.
• There’s a chance that the accounts of authorized users get compromised.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

The unfiltered_html capability should be granted to trusted roles that need to use markup when publishing dynamic content to the WordPress website. If this capability is not required for all users, including administrators and editors roles, then it’s recommended to set DISALLOW_UNFILTERED_HTML to true.

Noncompliant Code Example

define( 'DISALLOW_UNFILTERED_HTML', false ); // sensitive

Compliant Solution

define( 'DISALLOW_UNFILTERED_HTML', true );

See

• OWASP Top 10 2021 Category A3 - Injection
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• OWASP Top 10 2017 Category A7 - Cross-Site Scripting (XSS)
• MITRE, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')