Thanks for reporting this but at least we need admin access to add it (HTMLy is safe as long as you don't hack your own blog). On any system if you can gain admin access it will be a disaster.
The description mostly used to generate the about widget on sidebar and usually we put a link or even script. Using custom config page we can inject script to our blog eg. for custom comment script, tweet etc. so this is not bug but a feature, and the config page only accessible by the admin. So at the moment I will mark it as won't fix. Thanks.
The XSS filtering of blog title, Tagline, and Description in config.html.php is not rigorous, resulting in the generation of stored XSS



Front display
The text was updated successfully, but these errors were encountered: