Let’s says I want give someone access to wordpress admin panel so he can edit posts, settings etc.
My question is: Is admin panel in plain wordpress installation safe so new user won’t be able to run any PHP server-side code? He won’t be able to install plugins obviously (no ftp access, chmod +r-w and on all wp folders).
he can put as many javascripts to posts as he wants, I know he will be able to hijack my cookies etc, I don’t mind. I am asking only about server-side code.
If your WordPress installation is up to date, you are only using plugins from trusted developers, and you have your user roles properly configured for your specific security needs, then yes you can expect WordPress admin to be safe from server side scripting.
Out of the box WordPress ships with user roles that can be modified to your liking. For instance, I’m a super admin of a multisite and can access all sites and network admin, but I don’t want my admins to have either. I can set the access level for network admin area, and what sites each admin can access.
This can be further customized to disable things like the theme / plugin editors so you would only be able to manipulate core files from FTP etc. Also, disable the ability to install plugins.
I use a plugin called User Role Editor and Adminimize to control various parts of any role i.e. editor, admin etc. I’ve also written my own plugin to further customize the user experience.
By default I believe you will find any js or other scripting gets stripped out of the wp editor in pages / posts. You can circumvent this by using a text widget or a plugin I use called HTML Javascript Adder.
Adminimize
User Role Editor
HTML Javascript Adder
To be honest this is not something that can be answered here with a cut and dry answer.
As far as I can remember there is not a location where an admin can edit a file, upload a file or enter PHP to be executed.
This does not mean that there are no ways to execute PHP however. As far as we know at present there are no known security vulnerabilities with the current version of WordPress however only time will tell if this will remain the same. It might be possible for example to exploit a form and enter PHP that can be executed unintentionally. It may also be possible to edit the URI with PHP code that is not sanitized correctly on the server.
Take a look at this site which will show the numerous vulnerabilities that WordPress has had in the past.
https://wpvulndb.com/wordpresses
I am sure the WordPress developers did not knowingly release the software with these bugs but yet it happened.
AFAIK by default you can only do that via the template editor.
Now… if you don’t allow any file to be modified, in theory there is no other OOTB functionality that allows arbitrary code execution, so it should be safe, BUT…! It’s WordPress, come on… it has always had security issues, and it will continue to do so because it is full of legacy code and it is poorly designed.
Plus, to be honest, you shouldn’t make such safety assumptions even for well engineered software.