Highlighting Code Block
Monthly
Stored Cross-Site Scripting in the Highlighting Code Block WordPress plugin (versions ≤ 2.2.0) allows authenticated attackers holding administrator-level permissions to inject persistent malicious scripts via the plugin's admin settings panel, with those scripts executing in the browsers of any user who subsequently visits an affected page. Exploitation is constrained to WordPress multi-site network installations or single-site deployments where the unfiltered_html capability has been explicitly disabled - conditions that are non-default and substantially narrow the attacker population. No public exploit code or active exploitation has been identified at time of analysis; Wordfence, the reporting source, has published a fix commit to the plugin's SVN repository, though a specific patched release version is not yet confirmed.
Stored Cross-Site Scripting in the Highlighting Code Block WordPress plugin (versions ≤ 2.2.0) allows authenticated attackers holding administrator-level permissions to inject persistent malicious scripts via the plugin's admin settings panel, with those scripts executing in the browsers of any user who subsequently visits an affected page. Exploitation is constrained to WordPress multi-site network installations or single-site deployments where the unfiltered_html capability has been explicitly disabled - conditions that are non-default and substantially narrow the attacker population. No public exploit code or active exploitation has been identified at time of analysis; Wordfence, the reporting source, has published a fix commit to the plugin's SVN repository, though a specific patched release version is not yet confirmed.