Does SyntaxHighlighter Evolved have any unpatched vulnerabilities?

No. All known vulnerabilities in SyntaxHighlighter Evolved have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is SyntaxHighlighter Evolved compatible with WordPress 6.7.5?

According to WordPress.org data, SyntaxHighlighter Evolved 3.7.2 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is SyntaxHighlighter Evolved compatible with PHP 7.0+?

SyntaxHighlighter Evolved requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SyntaxHighlighter Evolved updated?

SyntaxHighlighter Evolved was last updated on Mar 3, 2025. Frequent updates are generally a positive security signal.

What is SyntaxHighlighter Evolved's security score?

SyntaxHighlighter Evolved has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SyntaxHighlighter Evolved Security & Risk Analysis

wordpress.org/plugins/syntaxhighlighter

Easily post syntax-highlighted code to your site without having to modify the code at all. As seen on WordPress.com.

20K active installs v3.7.2 PHP 7.0+ WP 5.7+ Updated Mar 3, 2025

codephpsourcesourcecodesyntax-highlighting

A · Safe

CVEs total3

Unpatched0

Last CVEMar 27, 2025

Plugin page Download

Safety Verdict

Is SyntaxHighlighter Evolved Safe to Use in 2026?

Generally Safe

Score 89/100

SyntaxHighlighter Evolved has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Mar 27, 2025Updated 1yr ago

Risk Assessment

The "syntaxhighlighter" plugin v3.7.2 exhibits a mixed security posture. On the positive side, the static analysis reveals a commendably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, all SQL queries utilize prepared statements, and there are no file operations or external HTTP requests, which are strong indicators of secure coding practices in these areas. However, concerns arise from the output escaping, where only 59% of outputs are properly escaped, leaving a significant portion potentially vulnerable. The absence of nonce and capability checks across the board is also a notable weakness, as it means that even if entry points were discovered, they might not have adequate authorization protections. The vulnerability history is particularly concerning, with a total of 3 known CVEs, including one high-severity and two medium-severity cross-site scripting (XSS) vulnerabilities. The fact that the last vulnerability was identified in 2025-03-27 suggests a pattern of security flaws, and the absence of any currently unpatched vulnerabilities, while positive, doesn't negate the historical trend. This history points to a plugin that has struggled with secure output handling and input sanitization, leading to recurring XSS issues.

Key Concerns

High percentage of unescaped outputs
No nonce checks found
No capability checks found
One high severity CVE historically
Two medium severity CVEs historically

Vulnerabilities

SyntaxHighlighter Evolved Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

1 CVE in 2019

2019

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-30903medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SyntaxHighlighter Evolved <= 3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 3.7.2 (7d)

WF-e94e39d3-61da-4adb-a89a-97cda4c9203d-syntaxhighlighterhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SyntaxHighlighter Evolved < 3.5.1 - Stored Cross-Site Scripting

Oct 21, 2019 Patched in 3.5.1 (1555d)

WF-e6270944-31c0-4d6d-a23f-87fce37ff8b0-syntaxhighlightermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SyntaxHighlighter Evolved <= 3.1.9 - Cross-Site Scripting

Aug 1, 2014 Patched in 3.1.10 (3462d)

Code Analysis

Analyzed Mar 16, 2026

SyntaxHighlighter Evolved Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

35 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

59% escaped59 total outputs

Attack Surface

SyntaxHighlighter Evolved Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 27

filterthe_contentsyntaxhighlighter.php:45

filtercomment_textsyntaxhighlighter.php:46

filterbp_get_the_topic_post_contentsyntaxhighlighter.php:47

filtercontent_save_presyntaxhighlighter.php:50

filterpre_comment_contentsyntaxhighlighter.php:51

filtergroup_forum_post_text_before_savesyntaxhighlighter.php:52

filtergroup_forum_topic_text_before_savesyntaxhighlighter.php:53

filterthe_editor_contentsyntaxhighlighter.php:56

filtercomment_edit_presyntaxhighlighter.php:57

filterbp_get_the_topic_textsyntaxhighlighter.php:58

filterbp_get_the_topic_post_edit_textsyntaxhighlighter.php:59

actionwp_footersyntaxhighlighter.php:62

actionadmin_footersyntaxhighlighter.php:63

actionadmin_initsyntaxhighlighter.php:66

actionadmin_menusyntaxhighlighter.php:67

filtermce_external_pluginssyntaxhighlighter.php:68

filtersave_postsyntaxhighlighter.php:69

filterplugin_action_linkssyntaxhighlighter.php:70

actionenqueue_block_editor_assetssyntaxhighlighter.php:77

actionthe_contentsyntaxhighlighter.php:78

filterwidget_textsyntaxhighlighter.php:88

filterwidget_update_callbacksyntaxhighlighter.php:89

filterwidget_form_callbacksyntaxhighlighter.php:90

filterthe_contentsyntaxhighlighter.php:476

actionadmin_print_footer_scriptssyntaxhighlighter.php:579

filterpre_do_shortcode_tagsyntaxhighlighter.php:700

actioninitsyntaxhighlighter.php:1822

Maintenance & Trust

SyntaxHighlighter Evolved Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 3, 2025

PHP min version7.0

Downloads1.1M

Community Trust

Rating86/100

Number of ratings86

Active installs20K

Alternatives

SyntaxHighlighter Evolved Alternatives

SyntaxHighlighter Amplified

syntaxhighlighter-amplified

Easily post syntax-highlighted code to your site without having to modify the code at all. Compatible with AMP pages.

0 No CVEs

SyntaxHighlighter Plus

syntaxhighlighter-plus

Easily post source code such as PHP or HTML and display it in a styled box.

100 No CVEs

SyntaxHighlighter2

syntaxhighlighter2

Easily post source code such as PHP or HTML and display it in a styled box.

20 No CVEs

Code View

code-view

Easily use highlightjs and line-numbers to syntax-highlighted sample code on your blog posts

10 No CVEs

SyntaxHighlighter Evolved: ABAP Brush

syntaxhighlighter-evolved-abap-brush

This is a Advanced Business Application Programming (ABAP) brush for the "SyntaxHighlighter Evolved" plugin.

10 No CVEs

Developer Profile

SyntaxHighlighter Evolved Developer Profile

Alex Mills

5 plugins · 1.0M total installs

trust score

Avg Security Score

95/100

Avg Patch Time

1675 days

View full developer profile

Detection Fingerprints

How We Detect SyntaxHighlighter Evolved

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushAS3.js/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushArduino.js/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushBash.js/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushColdFusion.js/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushCpp.js/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushCSharp.js/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushCss.js+72 more

Script Paths

syntaxhighlighter3/scripts/shCore.jssyntaxhighlighter3/scripts/shBrushAS3.jssyntaxhighlighter3/scripts/shBrushArduino.jssyntaxhighlighter3/scripts/shBrushBash.jssyntaxhighlighter3/scripts/shBrushColdFusion.jssyntaxhighlighter3/scripts/shBrushCpp.js+52 more

Version Parameters

syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js?ver=syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=syntaxhighlighter/syntaxhighlighter2/scripts/shCore.js?ver=syntaxhighlighter/syntaxhighlighter2/styles/shCore.css?ver=syntaxhighlighter/syntaxhighlighter.js?ver=

HTML / DOM Fingerprints

CSS Classes

syntaxhighlightersyntaxhighlighter-codesyntaxhighlighter-presyntaxhighlighter-wrap

Data Attributes

data-syntaxhighlight

JS Globals

SyntaxHighlighter

Shortcode Output

[syntaxhighlighter][/syntaxhighlighter][code][/code]

FAQ