@drozdz Thanks for your review.
It’s worth noting that our plugin follows the WordPress capabilities rather than allowing any user to post raw HTML.
In order to add or modify code in the headers and footers, the plugin requires a user be an an administrator and have the manage_options capability.
WordPress allows administrators to post unfiltered html when writing posts and to edit theme and plugin files.
Low privileged users (such as authors and contributors) are unable to use this plugin to add HTML to the page per the WordPress roles and capabilities.
Now if you’ve discovered a legitimate security issue with the plugin, then please email plugins@wordpress.org with reproduction steps.
It’s not a matter of capabilities and roles…
1. You are unable to filter JS code to be sure that it’s secure.
2. The first thing that any security person does is to disable any way of posting unfiltered JS code from Dashboard.
3. If a person is unable to publish JS code in correct way (editing files), then, most probably, it’s a person that shouldn’t post that code at all.
4. If you really need to post JS without editing files, do it in a more secure way – using Google Tag Manager.
Really – there is no need for such plugin in 2021. It’s harmful, it teaches and promotes very bad practices and laziness…
It’s important I emphasize that for someone to add scripts via this plugin, it requires them to have Admin access to WordPress.
If a hacker has already obtained admin access to your site, then no other security measure matters.
Similar to if a hacker gained access to your Google Tag Manager account.
This plugin is no different than using Google Tag Manager except it’s a lot more beginner friendly.
