Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

The Blocksy Companion plugin for WordPress is vulnerable to stored cross‑site scripting through its blocksy_newsletter_subscribe shortcode, allowing an attacker with contributor‑level or higher access to inject arbitrary JavaScript into attributes that are rendered on pages. This flaw causes the injected scripts to run in the context of site visitors whenever the injected content is viewed, due to insufficient input sanitization and output escaping of user‑supplied parameters.

Affected Systems

The problem affects every instance of the creativethemeshq Blocksy Companion plugin installed on a WordPress site, in all releases up to and including version 2.1.14. Users who have contributed or higher roles on the site and who can embed the plugin’s shortcode may be the source of the injection.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exfiltration or persistence is not described in the CVE entry; the flaw requires authenticated contributor or higher access, and any visitor to the page where the malicious shortcode is embedded will execute the injected script.

Generated by OpenCVE AI on April 21, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blocksy Companion to the latest available version, which contains the necessary input sanitization and output escaping fixes.
  • If an upgrade cannot be performed immediately, remove or disable the blocksy_newsletter_subscribe shortcode from your site or lock down contributor roles to prevent injection of malicious attributes.
  • Verify that no legacy newsletter‑subscribe blocks remain in the page content and that the plugin no longer renders user‑provided attributes unsanitized.

Generated by OpenCVE AI on April 21, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress
Vendors & Products Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress

Thu, 30 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Oct 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Creativethemes Blocksy Companion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:57.538Z

Reserved: 2025-10-29T16:13:20.241Z

Link: CVE-2025-12475

cve-icon Vulnrichment

Updated: 2025-10-30T13:54:03.092Z

cve-icon NVD

Status : Deferred

Published: 2025-10-30T05:15:37.967

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses