WP-Safety

WP SyntaxHighlighter Security & Risk Analysis

wordpress.org/plugins/wp-syntaxhighlighter

This plugin is code syntax highlighter based on SyntaxHighlighter ver. 3.0.83 and 2.1.382.

300 active installs v1.7.3 PHP + WP 2.8+ Updated Feb 29, 2012
codehighlightsourcecodesyntaxsyntaxhighlighter
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP SyntaxHighlighter Safe to Use in 2026?

Generally Safe

Score 85/100

WP SyntaxHighlighter has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 14yr ago
Risk Assessment

The 'wp-syntaxhighlighter' v1.7.3 plugin exhibits a generally good security posture with no known vulnerabilities or recorded CVEs. The static analysis reveals a low attack surface with no AJAX handlers, REST API routes, shortcodes, or cron events, indicating a limited number of potential entry points. Furthermore, all detected SQL queries utilize prepared statements, which is a strong practice for preventing SQL injection. The presence of nonce and capability checks throughout the code also suggests an awareness of security best practices.

However, there are areas of concern. The use of the `create_function` is a significant risk as it can be exploited for code execution if user input is not strictly controlled. While the taint analysis did not identify critical or high severity flows, the two flows with unsanitized paths warrant investigation, as they could potentially lead to vulnerabilities. Additionally, a relatively low percentage of output escaping (26%) is concerning, as it increases the risk of Cross-Site Scripting (XSS) vulnerabilities, especially if any of the unsanitized paths or the `create_function` usage can be influenced by user-supplied data.

Given the clean vulnerability history, it's possible these code signals haven't been exploited yet, or that other security measures mitigate the risks. However, the presence of `create_function` and the limited output escaping represent actionable security weaknesses that should be addressed to further harden the plugin.

Key Concerns

  • Use of dangerous function: create_function
  • Low percentage of properly escaped output
  • Flows with unsanitized paths found
Vulnerabilities
None known

WP SyntaxHighlighter Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP SyntaxHighlighter Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
90
32 escaped
Nonce Checks
2
Capability Checks
31
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

create_functionadd_action('widgets_init', create_function('', 'return register_widget("WPSyntaxHighlighterWidget");wp-syntaxhighlighter-widget.php:90

Bundled Libraries

TinyMCE

Output Escaping

26% escaped122 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
wp_sh_load_addl_style (wp-syntaxhighlighter.php:810)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP SyntaxHighlighter Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 101
actionbbp_headbbpress-highlight-button.php:12
actionbbp_enqueue_scriptsbbpress-highlight-button.php:16
actionbbp_theme_before_topic_form_contentbbpress-highlight-button.php:18
actionbbp_theme_before_reply_form_contentbbpress-highlight-button.php:19
actionbbp_theme_before_topic_form_contentbbpress-highlight.php:11
actionbbp_theme_before_reply_form_contentbbpress-highlight.php:12
actionbbp_initbbpress-highlight.php:19
filterbbp_new_topic_pre_contentbbpress-highlight.php:31
filterbbp_new_reply_pre_contentbbpress-highlight.php:33
filterbbp_edit_topic_pre_contentbbpress-highlight.php:35
filterbbp_edit_reply_pre_contentbbpress-highlight.php:37
filterbbp_new_topic_pre_contentbbpress-highlight.php:42
filterbbp_new_reply_pre_contentbbpress-highlight.php:43
filterbbp_edit_topic_pre_contentbbpress-highlight.php:44
filterbbp_edit_reply_pre_contentbbpress-highlight.php:45
filterbbp_new_topic_pre_contentbbpress-highlight.php:48
filterbbp_new_reply_pre_contentbbpress-highlight.php:49
filterbbp_edit_topic_pre_contentbbpress-highlight.php:50
filterbbp_edit_reply_pre_contentbbpress-highlight.php:51
filterbbp_get_topic_contentbbpress-highlight.php:57
filterbbp_get_reply_contentbbpress-highlight.php:61
filterbbp_get_topic_contentbbpress-highlight.php:65
filterbbp_get_reply_contentbbpress-highlight.php:66
filterbbp_get_topic_contentbbpress-highlight.php:69
filterbbp_get_reply_contentbbpress-highlight.php:70
actionwp_headcomment-highlight-button.php:12
actionwp_print_scriptscomment-highlight-button.php:30
actioncomment_form_after_fieldscomment-highlight-button.php:40
actioncomment_form_logged_in_aftercomment-highlight-button.php:41
actioninitcomment-highlight.php:17
filterpre_comment_contentcomment-highlight.php:25
filtercomment_textcomment-highlight.php:32
filterpre_comment_contentcomment-highlight.php:36
filtercomment_textcomment-highlight.php:37
filterpre_comment_contentcomment-highlight.php:40
filtercomment_textcomment-highlight.php:44
actionadmin_noticessample\lang-pack-for-wp-syntaxhighlighter\lang-pack-for-wp-syntaxhighlighter.php:151
actionadmin_menusample\lang-pack-for-wp-syntaxhighlighter\lang-pack-for-wp-syntaxhighlighter.php:170
actionwpsh_css_for_3sample\lang-pack-for-wp-syntaxhighlighter\lang-pack-for-wp-syntaxhighlighter.php:178
actionwpsh_css_for_2sample\lang-pack-for-wp-syntaxhighlighter\lang-pack-for-wp-syntaxhighlighter.php:197
actionadmin_head-post.phpsh-pre-quicktag.php:16
actionadmin_head-post-new.phpsh-pre-quicktag.php:17
actionadmin_head-page.phpsh-pre-quicktag.php:18
actionadmin_head-page-new.phpsh-pre-quicktag.php:19
actionadmin_head-comment.phpsh-pre-quicktag.php:23
actionadmin_print_footer_scriptssh-pre-quicktag.php:35
actionadmin_print_footer_scriptssh-pre-quicktag.php:39
actionadmin_footer-post.phpsh-pre-quicktag.php:171
actionadmin_footer-post-new.phpsh-pre-quicktag.php:172
actionadmin_footer-page.phpsh-pre-quicktag.php:173
actionadmin_footer-page-new.phpsh-pre-quicktag.php:174
actionadmin_footer-comment.phpsh-pre-quicktag.php:178
filtermce_external_pluginssh-tinymce-button-box\sh-tinymce-button-box.php:18
filtermce_buttonssh-tinymce-button-box\sh-tinymce-button-box.php:23
filterwp_fullscreen_buttonssh-tinymce-button-box\sh-tinymce-button-box.php:26
filtertiny_mce_versionsh-tinymce-button-box\sh-tinymce-button-box.php:64
actioninitsh-tinymce-button-box\sh-tinymce-button-box.php:66
filtermce_external_pluginssh-tinymce-button-ins\sh-tinymce-button-ins.php:18
filtermce_buttonssh-tinymce-button-ins\sh-tinymce-button-ins.php:23
filterwp_fullscreen_buttonssh-tinymce-button-ins\sh-tinymce-button-ins.php:26
filtertiny_mce_versionsh-tinymce-button-ins\sh-tinymce-button-ins.php:65
actioninitsh-tinymce-button-ins\sh-tinymce-button-ins.php:67
actioninitwp-sh-shortcode.php:13
actionadmin_menuwp-syntaxhighlighter-admin.php:11
actionadmin_noticeswp-syntaxhighlighter-admin.php:35
actionadmin_noticeswp-syntaxhighlighter-admin.php:38
actionin_admin_footerwp-syntaxhighlighter-admin.php:219
actionadmin_footerwp-syntaxhighlighter-admin.php:231
actionwidgets_initwp-syntaxhighlighter-widget.php:90
actionplugins_loadedwp-syntaxhighlighter.php:343
filterplugin_action_linkswp-syntaxhighlighter.php:465
filtertiny_mce_before_initwp-syntaxhighlighter.php:489
filtertiny_mce_before_initwp-syntaxhighlighter.php:497
actionadmin_print_styles-post.phpwp-syntaxhighlighter.php:512
actionadmin_print_styles-post-new.phpwp-syntaxhighlighter.php:513
actionadmin_print_styles-page.phpwp-syntaxhighlighter.php:514
actionadmin_print_styles-page-new.phpwp-syntaxhighlighter.php:515
actioninitwp-syntaxhighlighter.php:528
filterthe_contentwp-syntaxhighlighter.php:534
filtercontent_save_prewp-syntaxhighlighter.php:539
filtercontent_save_prewp-syntaxhighlighter.php:544
filtercontent_save_prewp-syntaxhighlighter.php:547
filtercontent_save_prewp-syntaxhighlighter.php:550
filterthe_contentwp-syntaxhighlighter.php:553
actioninitwp-syntaxhighlighter.php:680
filtercomments_openwp-syntaxhighlighter.php:694
filterpre_comment_approvedwp-syntaxhighlighter.php:695
filtercomment_textwp-syntaxhighlighter.php:698
actionadmin_print_scripts-widgets.phpwp-syntaxhighlighter.php:706
actionbbp_initwp-syntaxhighlighter.php:720
filterbbp_get_allowed_tagswp-syntaxhighlighter.php:744
actionbbp_initwp-syntaxhighlighter.php:757
filterbbp_get_topic_contentwp-syntaxhighlighter.php:761
filterbbp_get_reply_contentwp-syntaxhighlighter.php:762
actioninitwp-syntaxhighlighter.php:769
actionwp_headwp-syntaxhighlighter.php:808
filterthe_contentwp-syntaxhighlighter.php:844
actionwp_print_styleswp-syntaxhighlighter.php:852
actionplugins_loadedwp-syntaxhighlighter.php:923
actionwp_footerwp-syntaxhighlighter.php:927
actionwp_footerwp-syntaxhighlighter.php:932
Maintenance & Trust

WP SyntaxHighlighter Maintenance & Trust

Maintenance Signals

WordPress version tested3.3.2
Last updatedFeb 29, 2012
PHP min version
Downloads50K

Community Trust

Rating100/100
Number of ratings1
Active installs300
Alternatives

WP SyntaxHighlighter Alternatives

Auto SyntaxHighlighter

Auto SyntaxHighlighter

auto-syntaxhighlighter

A
85

Auto SyntaxHighlighter is a WordPress Code highlight plugin. Use editor botton, in the pop-up window, paste or write your code, oh, very simple.

100 No CVEs
SyntaxHighlighter TinyMCE Button

SyntaxHighlighter TinyMCE Button

syntaxhighlighter-tinymce-button

A
85

"SyntaxHighlighter TinyMCE Button" provides buttons for Visual Editor and will help to type <pre> tag for SyntaxHighlighter.

100 No CVEs
CodeMirror for CodeEditor

CodeMirror for CodeEditor

codemirror-for-codeeditor

A
85

Just another code syntaxhighligher for the theme and plugin editor with CodeMirror.

40 No CVEs
SyntaxHighlighter Evolved

SyntaxHighlighter Evolved

syntaxhighlighter

A
89

Easily post syntax-highlighted code to your site without having to modify the code at all. As seen on WordPress.com.

20K 3 CVEs
Syntax Highlighter Compress

Syntax Highlighter Compress

syntax-highlighter-compress

C
63

Syntax Highlighter ComPress is a plugin for code syntax highlighting. It loads fast on the website and code can pasted easily into Wordpress.

100 1 unpatched
Developer Profile

WP SyntaxHighlighter Developer Profile

redcocker

7 plugins · 660 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP SyntaxHighlighter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/biferno/shBrushBiferno.js/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/clojure/shBrushClojure.js/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/dos-batch/shBrushDosBatch-V2.js/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/dos-batch/shBrushDosBatch-V3.js/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/fsharp/shBrushFSharp.js/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/lisp/shBrushLisp.js/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/lua/shBrushLua.js/wp-content/plugins/wp-syntaxhighlighter/lang-pack-for-wp-syntaxhighlighter/mel/shBrushMel.js+9 more

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WP SyntaxHighlighter