WP-GeSHi-Highlight <= 1.4.3 - Author+ ReDoS

An attacker with Author-level privileges or higher can supply crafted input to the `wp_geshi_filter_replace_code()` function [ref_id=1]. The plugin processes this user-supplied input as a regular expression without any sanitization or length constraints [ref_id=1]. By submitting a pattern that exhibits catastrophic backtracking (e.g., a pattern with nested quantifiers), the attacker causes the regex engine to consume excessive CPU time, leading to a denial-of-service condition [ref_id=1]. The attack is delivered through the WordPress admin interface or any front-end input that reaches the vulnerable function, requiring only an authenticated Author account [ref_id=1].

The vulnerability resides in the `wp_geshi_filter_replace_code()` function of the WP-GeSHi-Highlight plugin [ref_id=1]. The advisory does not specify the exact file path or line number.

No fix has been published by the vendor as of the advisory's last update [ref_id=1]. The recommended remediation is to avoid passing user-supplied input directly as a regular expression, or to apply strict validation, length limits, and timeout guards on regex operations [ref_id=1]. Until a patch is released, site administrators should disable or replace the plugin.