Kévin Subileau discovered a local file disclosure vulnerability affecting all versions before 2.7.0 of Crayon Syntax Highlighter, a popular syntax highlighter built in PHP and jQuery. According to wordpress.org, the vulnerable versions of this WordPress plugin are installed on more than 40,000 websites.
This critical vulnerability allows remote attackers to read arbitrary files on server’s file system, even outside the web root. The local file syntax highlighting feature of Crayon Syntax Highlighter doesn’t check the path of the file to process. Also, by default, this feature is usable through public comments. This allows unauthenticated visitors to see the content of any file where the web server has read permissions, such as PHP source files or configuration files.
If you use it, update quickly to the latest version (>= 2.7.0).
Full story here