Why are some users allowed to post unfiltered HTML?

Users with Administrator or Editor roles are allowed to publish unfiltered HTML in post titles, post content, and comments, and upload HTML files to the media library. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges (Authors and Contributors) are not allowed to post unfiltered content or upload HTML files.

If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator or Editor putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery, and are divided into privileged cookies used for admin pages, and unprivileged cookies used for public facing pages. Content is never displayed unfiltered within the admin dashboard.

In WordPress Multisite, only Super Admins can publish unfiltered HTML, as all other users (including site Administrators) are considered untrusted.

To disable unfiltered HTML for all users, including administrators, you can add define( ‘DISALLOW_UNFILTERED_HTML’, true ); to wp-config.php.