Posted by Ryan Dewhurst on Dec 23

The POST request contains a CSRF nonce that is validated by the server and
an administrator user is the only role that is able to use the plugin (at
least by default).

Only an administrator user is able to execute JavaScript using the issue
you described due to the limitations I mentioned above.

An administrator user already has the permission to embed JavaScript and
execute PHP within WordPress as long as they have a valid CSRF nonce.

This is…