Plugin inspection:

Crayon Syntax Highlighter

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

This recommendation applies to version 2.5.0 of this plugin, but the most recent version is 2.8.4. These findings may no longer be correct.

Findings

  • The options form doesn’t escape the values it stores, but it’s not vulnerable because the form uses nonce fields
  • Uses mail() instead of wp_mail()
  • The CSS editor doesn’t appear to use nonce values and so it may contain a CSRF vulnerability

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

Likely to contain a CSRF vuln in the “theme editor” (unrelated to the WordPress theme editor).

Failure criteria

  • Failure to use available core functionality
  • Lack of proper output escaping

Read more about our failure criteria.