Does CodeColorer have any unpatched vulnerabilities?

Yes — CodeColorer currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is CodeColorer compatible with WordPress 6.9.4?

According to WordPress.org data, CodeColorer 0.11.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is CodeColorer compatible with PHP 7.0+?

CodeColorer requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is CodeColorer updated?

CodeColorer was last updated on Mar 14, 2026. Frequent updates are generally a positive security signal.

What is CodeColorer's security score?

CodeColorer has a WP-Safety security score of 73/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

CodeColorer Security & Risk Analysis

wordpress.org/plugins/codecolorer

Syntax highlighting for code snippets in posts, comments, and RSS, with inline code, themes, and line numbers.

1K active installs v0.11.0 PHP 7.0+ WP 4.0+ Updated Mar 14, 2026

codecommentshighlightingsnippetsyntax

B · Generally Safe

CVEs total2

Unpatched1

Last CVEDec 30, 2025

Plugin page Download

Safety Verdict

Is CodeColorer Safe to Use in 2026?

Mostly Safe

Score 73/100

CodeColorer is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Dec 30, 2025Updated 21d ago

Risk Assessment

The "codecolorer" plugin, version 0.11.0, exhibits a mixed security posture. On the positive side, the static analysis reveals an extremely small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events. The code also demonstrates good practices regarding SQL queries, exclusively using prepared statements, and generally strong output escaping (93%). Nonce and capability checks are present, indicating some security awareness in the development. However, the presence of one unpatched high-severity vulnerability, identified as Cross-Site Scripting, is a significant concern. This historical pattern of vulnerabilities, particularly XSS, suggests potential weaknesses in input sanitization or output encoding for certain edge cases that have been exploited in the past.

While the current static analysis doesn't flag critical taint flows or dangerous functions, the existence of past XSS vulnerabilities, coupled with the fact that one remains unpatched, points to a residual risk. The single file operation, though not inherently dangerous, warrants a quick review to ensure it's not a vector for further issues. The inclusion of TinyMCE as a bundled library, if not kept up-to-date by the plugin author, could also introduce risks, although this is not explicitly flagged as an issue in the provided data. Overall, the plugin has strengths in its limited attack surface and prepared SQL, but the unpatched XSS vulnerability is a clear and present danger that overshadows these positives.

Key Concerns

Unpatched high-severity CVE
Known XSS vulnerability history
Bundled library (TinyMCE)

Vulnerabilities

CodeColorer Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-68012high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting

Dec 30, 2025Unpatched

CVE-2023-2795medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CodeColorer <= 0.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 5, 2023 Patched in 0.10.1 (232d)

Code Analysis

Analyzed Mar 16, 2026

CodeColorer Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

38 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

Output Escaping

93% escaped41 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

dismissNotice (codecolorer.php:213)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

CodeColorer Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 23

actionadmin_initcodecolorer.php:86

actionadmin_menucodecolorer.php:89

actionadmin_post_codecolorer_dismiss_noticecodecolorer.php:92

actionadmin_enqueue_scriptscodecolorer.php:95

actionwp_enqueue_scriptscodecolorer.php:96

actionadmin_noticescodecolorer.php:100

filterplugin_row_metacodecolorer.php:107

filterthe_contentcodecolorer.php:110

filterthe_contentcodecolorer.php:111

filterthe_excerptcodecolorer.php:112

filterthe_excerptcodecolorer.php:113

filtercomment_textcodecolorer.php:114

filtercomment_textcodecolorer.php:115

filterbook_reviewcodecolorer.php:116

filterbook_reviewcodecolorer.php:117

filterpre_comment_contentcodecolorer.php:120

filterpre_comment_contentcodecolorer.php:121

filtertablepress_cell_contentcodecolorer.php:124

filtertablepress_cell_contentcodecolorer.php:125

filtersdm_downloads_descriptioncodecolorer.php:128

filtersdm_downloads_descriptioncodecolorer.php:129

filtertiny_mce_before_initcodecolorer.php:163

filterteeny_mce_before_initcodecolorer.php:164

Maintenance & Trust

CodeColorer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 14, 2026

PHP min version7.0

Downloads125K

Community Trust

Rating98/100

Number of ratings11

Active installs1K

Alternatives

CodeColorer Alternatives

Code Snippets in Comments

code-snippets-in-comments

Code Snippets in Comments plugin extends the Comments function by show code in highlighting without modifying the saving of comments in database.

0 No CVEs

Code Syntax Highlighter

code-syntax-highlighter

100

A simple dynamic loading syntax highlighter.Supports 172 languages, 172 shortcodes and 55 themes.

0 No CVEs

SyntaxHighlighter Evolved

syntaxhighlighter

Easily post syntax-highlighted code to your site without having to modify the code at all. As seen on WordPress.com.

20K 3 CVEs

Urvanov Syntax Highlighter

urvanov-syntax-highlighter

100

Reincarnation of Crayon Syntax Highlighter. Syntax Highlighter supporting multiple languages, themes, fonts, highlighting from a URL, or post text.

3K 1 CVE

Prismatic

prismatic

Display beautiful syntax-highlighted code snippets with Prism.js or Highlight.js

2K 2 CVEs

Developer Profile

CodeColorer Developer Profile

Dmytro Shteflyuk

3 plugins · 1K total installs

trust score

Avg Security Score

81/100

Avg Patch Time

232 days

View full developer profile

Detection Fingerprints

How We Detect CodeColorer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/codecolorer/codecolorer-admin.css/wp-content/plugins/codecolorer/codecolorer-frontend.css/wp-content/plugins/codecolorer/js/codecolorer-admin.js/wp-content/plugins/codecolorer/js/codecolorer-frontend.js

Script Paths

/wp-content/plugins/codecolorer/js/codecolorer-admin.js/wp-content/plugins/codecolorer/js/codecolorer-frontend.js

Version Parameters

codecolorer/codecolorer-admin.css?ver=codecolorer/codecolorer-frontend.css?ver=codecolorer/js/codecolorer-admin.js?ver=codecolorer/js/codecolorer-frontend.js?ver=

HTML / DOM Fingerprints

HTML Comments

Copyright 2006 - 2026 Dmytro Shteflyuk <kpumuk@kpumuk.info>This program is free software; you can redistribute it and/or modifyThis program is distributed in the hope that it will be useful,You should have received a copy of the GNU General Public License+21 more

Data Attributes

data-codecolorer-language

JS Globals

codecolorer_admin_scriptcodecolorer_frontend_script

FAQ