

File uploads allow for cross-site scripting in Wordpress - nbpoole
https://nealpoole.com/blog/2011/04/file-upload-xss-vulnerability-in-wordpress/

======
cheald
Wordpress users with Author permission can also, you know, write posts with
arbitrary HTML.

If you have a malicious user with Author permissions, or who has their account
compromised, you're in a lot of trouble already. There's an assumption that if
a user can be trusted to write posts with arbitrary HTML, the same user can be
trusted to upload a variety of files.

