Wordpress users with Author permission can also, you know, write posts with arbitrary HTML.
If you have a malicious user with Author permissions, or who has their account compromised, you're in a lot of trouble already. There's an assumption that if a user can be trusted to write posts with arbitrary HTML, the same user can be trusted to upload a variety of files.
1 comment
[ 4.6 ms ] story [ 14.5 ms ] threadIf you have a malicious user with Author permissions, or who has their account compromised, you're in a lot of trouble already. There's an assumption that if a user can be trusted to write posts with arbitrary HTML, the same user can be trusted to upload a variety of files.