WP-Safety

Urvanov Syntax Highlighter Security & Risk Analysis

wordpress.org/plugins/urvanov-syntax-highlighter

Reincarnation of Crayon Syntax Highlighter. Syntax Highlighter supporting multiple languages, themes, fonts, highlighting from a URL, or post text.

3K active installs v2.9.0 PHP + WP 6.7+ Updated Jun 25, 2025
codecode-highlighterhighlighterhighlightingsyntax-highlighter
100
A · Safe
CVEs total1
Unpatched0
Last CVEOct 6, 2023
Plugin page Download
Safety Verdict

Is Urvanov Syntax Highlighter Safe to Use in 2026?

Generally Safe

Score 100/100

Urvanov Syntax Highlighter has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 6, 2023Updated 9mo ago
Risk Assessment

The urvanov-syntax-highlighter v2.9.0 plugin exhibits a mixed security posture. While it demonstrates a strong adherence to secure database practices with 100% of SQL queries using prepared statements and a history of only medium and low severity vulnerabilities, several critical areas raise concerns. The plugin has a significant attack surface of 13 unprotected AJAX handlers, indicating a high potential for unauthorized actions if these endpoints can be triggered by unauthenticated users. Furthermore, a concerning 72% of output operations are not properly escaped, suggesting a risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data could be rendered in the browser without sanitization. The presence of one flow with unsanitized paths, although not critical or high severity, warrants attention. The plugin's vulnerability history, with a past medium severity issue and the absence of unpatched CVEs, is a positive sign, but the large number of unprotected AJAX endpoints and the high rate of unescaped output are immediate risks that need to be addressed to improve its overall security.

Key Concerns

  • 13 unprotected AJAX handlers
  • 72% of outputs not properly escaped
  • 1 flow with unsanitized paths
  • 1 medium severity vulnerability history
Vulnerabilities
1

Urvanov Syntax Highlighter Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-45106medium · 5.4Cross-Site Request Forgery (CSRF)

Urvanov Syntax Highlighter <= 2.8.33 - Cross-Site Request Forgery via init_ajax

Oct 6, 2023 Patched in 2.8.34 (109d)
Code Analysis
Analyzed Mar 16, 2026

Urvanov Syntax Highlighter Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
108
43 escaped
Nonce Checks
10
Capability Checks
2
File Operations
18
External Requests
1
Bundled Libraries
1

Bundled Libraries

TinyMCE

Output Escaping

28% escaped151 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
ajax_highlight (class-urvanov-syntax-highlighter-plugin.php:221)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
13 unprotected

Urvanov Syntax Highlighter Attack Surface

Entry Points13
Unprotected13

AJAX Handlers 13

authwp_ajax_urvanov-syntax-highlighter-tag-editorclass-urvanov-syntax-highlighter-plugin.php:1082
noprivwp_ajax_urvanov-syntax-highlighter-tag-editorclass-urvanov-syntax-highlighter-plugin.php:1083
authwp_ajax_urvanov-syntax-highlighter-highlightclass-urvanov-syntax-highlighter-plugin.php:1084
noprivwp_ajax_urvanov-syntax-highlighter-highlightclass-urvanov-syntax-highlighter-plugin.php:1085
authwp_ajax_urvanov-syntax-highlighter-ajaxclass-urvanov-syntax-highlighter-plugin.php:1087
authwp_ajax_urvanov-syntax-highlighter-theme-editorclass-urvanov-syntax-highlighter-plugin.php:1088
authwp_ajax_urvanov-syntax-highlighter-theme-editor-saveclass-urvanov-syntax-highlighter-plugin.php:1089
authwp_ajax_urvanov-syntax-highlighter-theme-editor-deleteclass-urvanov-syntax-highlighter-plugin.php:1090
authwp_ajax_urvanov-syntax-highlighter-theme-editor-duplicateclass-urvanov-syntax-highlighter-plugin.php:1091
authwp_ajax_urvanov-syntax-highlighter-theme-editor-submitclass-urvanov-syntax-highlighter-plugin.php:1092
authwp_ajax_urvanov-syntax-highlighter-show-postsclass-urvanov-syntax-highlighter-plugin.php:1093
authwp_ajax_urvanov-syntax-highlighter-show-langsclass-urvanov-syntax-highlighter-plugin.php:1094
authwp_ajax_urvanov-syntax-highlighter-show-previewclass-urvanov-syntax-highlighter-plugin.php:1095
WordPress Hooks 43
filterinitclass-urvanov-syntax-highlighter-plugin.php:1385
actionwpclass-urvanov-syntax-highlighter-plugin.php:1389
filterthe_postsclass-urvanov-syntax-highlighter-plugin.php:1391
filterthe_contentclass-urvanov-syntax-highlighter-plugin.php:1395
filterbbp_get_reply_contentclass-urvanov-syntax-highlighter-plugin.php:1398
filterbbp_get_topic_contentclass-urvanov-syntax-highlighter-plugin.php:1399
filterbbp_get_forum_contentclass-urvanov-syntax-highlighter-plugin.php:1400
filterbbp_get_topic_excerptclass-urvanov-syntax-highlighter-plugin.php:1401
actioninitclass-urvanov-syntax-highlighter-plugin.php:1404
filtercomment_textclass-urvanov-syntax-highlighter-plugin.php:1409
filtercomment_textclass-urvanov-syntax-highlighter-plugin.php:1410
filterget_the_excerptclass-urvanov-syntax-highlighter-plugin.php:1414
filterget_the_excerptclass-urvanov-syntax-highlighter-plugin.php:1415
filterthe_excerptclass-urvanov-syntax-highlighter-plugin.php:1416
actiontemplate_redirectclass-urvanov-syntax-highlighter-plugin.php:1418
filtercomment_form_defaultsclass-urvanov-syntax-highlighter-plugin.php:1421
actionupdate_postclass-urvanov-syntax-highlighter-plugin.php:1428
actionsave_postclass-urvanov-syntax-highlighter-plugin.php:1429
filterwp_insert_post_dataclass-urvanov-syntax-highlighter-plugin.php:1430
actioncomment_postclass-urvanov-syntax-highlighter-plugin.php:1435
actionedit_commentclass-urvanov-syntax-highlighter-plugin.php:1436
filterinitclass-urvanov-syntax-highlighter-plugin.php:1438
actionrest_after_insert_postclass-urvanov-syntax-highlighter-plugin.php:1439
actioninitclass-urvanov-syntax-highlighter-plugin.php:1454
actioninitclass-urvanov-syntax-highlighter-settings.php:160
actionadmin_print_styles-post-new.phpclass-urvanov-syntax-highlighter-wp.php:62
actionadmin_print_styles-post.phpclass-urvanov-syntax-highlighter-wp.php:63
actionadmin_print_styles-post-new.phpclass-urvanov-syntax-highlighter-wp.php:64
actionadmin_print_styles-post.phpclass-urvanov-syntax-highlighter-wp.php:65
filtercontextual_helpclass-urvanov-syntax-highlighter-wp.php:72
actionadmin_menuclass-urvanov-syntax-highlighter-wp.php:1305
filterplugin_row_metaclass-urvanov-syntax-highlighter-wp.php:1306
actionadmin_print_scripts-post-new.phputil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:15
actionadmin_print_scripts-post.phputil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:16
filtertiny_mce_before_initutil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:17
actionadmin_print_scripts-post-new.phputil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:19
actionadmin_print_scripts-post.phputil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:20
actionwputil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:24
filtertiny_mce_before_initutil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:25
filtermce_external_pluginsutil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:113
filtermce_buttonsutil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:114
filterbbp_before_get_the_content_parse_argsutil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:115
actioninitutil\tag-editor\class-urvanov-syntax-highlighter-tag-editor-wp.php:297
Maintenance & Trust

Urvanov Syntax Highlighter Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 25, 2025
PHP min version
Downloads64K

Community Trust

Rating90/100
Number of ratings19
Active installs3K
Alternatives

Urvanov Syntax Highlighter Alternatives

AH Code Highlighter

AH Code Highlighter

ah-prism-syntax-highlighter

A
85

The easiest to use code highlighting ever. Choose between 8 different color themes to highlight your code snippets. Many programming languages are sup &hellip;

70 No CVEs
Lite Syntax Highlighting

Lite Syntax Highlighting

lite-syntax-highlighting

A
85

Lite Syntax Highlighting: PHP, HTML, CSS, JS, C

10 No CVEs
rtSyntax

rtSyntax

rtsyntax

A
85

A no-fuss, lightweight, fast and optimised syntax highlighter for WordPress

10 No CVEs
HTML Editor Syntax Highlighter

HTML Editor Syntax Highlighter

html-editor-syntax-highlighter

A
85

Add syntax highlighting to WordPress code editors using CodeMirror.js

50K No CVEs
iG:Syntax Hiliter

iG:Syntax Hiliter

igsyntax-hiliter

A
85

A plugin to easily present source code on your site with syntax highlighting and formatting (as seen in code editors, IDEs).

60 No CVEs
Developer Profile

Urvanov Syntax Highlighter Developer Profile

urvanov

2 plugins · 3K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
109 days
View full developer profile
Detection Fingerprints

How We Detect Urvanov Syntax Highlighter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/urvanov-syntax-highlighter/css/crayon_code_highlight.css/wp-content/plugins/urvanov-syntax-highlighter/js/crayon_code_highlight.min.js
Script Paths
/wp-content/plugins/urvanov-syntax-highlighter/js/crayon_code_highlight.min.js
Version Parameters
urvanov-syntax-highlighter/css/crayon_code_highlight.css?ver=urvanov-syntax-highlighter/js/crayon_code_highlight.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
crayon-inlinecrayon-scriptcrayon-syntax
Data Attributes
data-settings
JS Globals
crayon_syntax_highlighterCrayonSyntaxHighlighter
Shortcode Output
[crayon-[/crayon][crayon
FAQ

Frequently Asked Questions about Urvanov Syntax Highlighter