Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles (more information). Please consider using the WPScan Vulnerability Test Bench for testing vulnerabilities in a standard and consistent environment.
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
WPScan