Why is this an issue?

By default, the WordPress administrator and editor roles can add unfiltered HTML content in various places, such as post content. This includes the capability to add JavaScript code.

If an account with such a role gets hijacked, this capability can be used to plant malicious JavaScript code that gets executed whenever somebody visits the website.

This may lead to Cross-Site Scripting (XSS) attacks, which can be used to steal other users' credentials or perform actions on behalf of other users.

How to fix it

The unfiltered_html capability should be granted to trusted roles that need to use markup when publishing dynamic content to the WordPress website. If this capability is not required for all users, including administrators and editors roles, then it’s recommended to set DISALLOW_UNFILTERED_HTML to true.

Code examples

Noncompliant code example

define( 'DISALLOW_UNFILTERED_HTML', false ); // Noncompliant

Compliant solution

define( 'DISALLOW_UNFILTERED_HTML', true );

Resources

• OWASP - Top 10 2021 Category A3 - Injection
• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• OWASP - Top 10 2017 Category A7 - Cross-Site Scripting (XSS)
• CWE - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')