I discovered this by accident when I was leaving a Facebook API example for a commentator, and posted a code snippet that included the
<script> tag referencing
http://connect.facebook.net/en_US/all.js#xfbml=1. To my surprise, a Facebook Comments widget appeared within my comment!
I did some testing with a fresh WordPress installation and ensured that it wasn’t related to any of my own customizations or installed plugins, and that only high-ranking user accounts could do it.
So I did some digging, wondering whether I should report the issue to the core developers, and found this:
Users with Administrator or Editor privileges are allowed to publish unfiltered HTML in post titles, post content, and comments. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content.
[…] Regardless, an Administrator has wide-ranging super powers among which unfiltered HTML is a lesser one.
In WordPress multisite, only super administrators can publish unfiltered HTML, as all other users are considered untrusted.
So, the lesson here is to be cautious with who you assign Editor privileges to. If you don’t trust them, don’t give them an Editor account. Besides, a rogue Editor could play havoc on posts and comments even without being able to paste-in malicious code.