Impact
The Syntax Highlighter Compress plugin contains improper neutralization of user‑supplied input, permitting reflected Cross‑Site Scripting (XSS) when a user submits crafted data that is echoed back to a page. An attacker could embed malicious scripts that run in the victim’s browser session, potentially enabling session hijacking, data theft, defacement, or further malicious actions. This flaw is a direct example of CWE‑79: Improper Neutralization of Input During Web Page Generation.
Affected Systems
The vulnerability affects the agmorpheus Syntax Highlighter Compress WordPress plugin in all versions from the first release through and including 3.0.83.3. No other vendors or versions are listed as affected.
Risk and Exploitability
The CVSS score is 7.1, indicating a high impact if exploited. The EPSS score is <1%, suggesting that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Inferred from the description, the attack vector requires the attacker to persuade a user to visit a crafted URL or submit malicious input, which the plugin then reflects without proper encoding.
OpenCVE Enrichment