Plugin inspection:

SyntaxHighlighter Evolved

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.


This recommendation applies to version 3.1.10 of this plugin, but the most recent version is 3.7.0. These findings may no longer be correct.


  • The settings form is not escaped properly. Most values are escaped¬†by prepending backslashes to single quotes (“</script><script>alert(1)</script>”¬†would break that) instead of using the available esc_js() function. And one value is not escaped at all. But this is not an issue because the form does not appear to be vulnerable to CSRF.

Failure criteria

  • Failure to use available core functionality
  • Lack of proper output escaping

Read more about our failure criteria.