As I said above, if there are other ways for users to put untrusted content on your blog then this can be exploited, but only if “dynamic cached content” is enabled. If it’s turned off it can’t be exploited.

A comment on Reddit suggests that markdown will still allow the code to be executed on blogs that have this feature turned on unfortunately.

It’s something WP Super Cache inherited from WP Cache, but I never liked it or recommended using it. I’m strongly considering removing the feature completely.