Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles (more information). Please consider using the WPScan Vulnerability Test Bench for testing vulnerabilities in a standard and consistent environment.
- For security issues in WordPress Core, please report them via HackerOne for WordPress
- For security issues affecting Automattic products, please report them via HackerOne for Automattic
WPScan 
