The flaw is a DOM‑based Cross‑Site Scripting vulnerability that allows an attacker to inject arbitrary HTML or JavaScript into web pages served by the SyntaxHighlighter Evolved plugin. Because the plugin fails to properly neutralize user‑supplied input when generating the page, the injected code runs in the victim’s browser, potentially compromising their session data, executing malware, or performing phishing attacks. This weakness is classified as CWE‑79 and elevates the integrity risk for any site relying on the plugin.

The vulnerability affects versions of the SyntaxHighlighter Evolved plugin developed by Alex Mills that are version 3.7.1 or older. All releases from the earliest available through <=3.7.1 are impacted. Users running any of these versions of the plugin on their WordPress sites are at risk.

The CVSS core score of 6.5 indicates a medium to high severity, while the EPSS score of <1% shows that the likelihood of public exploitation is currently low. The plugin is not listed in the CISA KEV catalog. An attacker could exploit this by providing malicious content via the plugin’s configuration or by targeting users who view content rendered by the plugin, triggering the DOM‑based XSS when the page loads. As the vulnerability exists in the web‑accessible component, no special access is required beyond ability to view or input data into the plugin.