Impact
The Blocksy Companion Pro plugin in versions older than 2.1.29 contains an unauthenticated SQL injection flaw that allows users to inject malicious SQL directly into database queries. This vulnerability can enable attackers to read, modify, or delete data stored in the WordPress database. The weakness is classified as CWE‑89. No exploitation of remote code execution is mentioned in the CVE description.
Affected Systems
This vulnerability affects WordPress sites that have the Creative Themes Blocksy Companion Pro plugin installed with a version lower than 2.1.29. Any site using the plugin before the patched release remains at risk.
Risk and Exploitability
The CVSS v3.1 score of 9.3 marks the issue as Critical. EPSS information is not available, so the exact likelihood of exploitation cannot be quantified, but the absence of an authentication barrier means the flaw can be leveraged via a web request to any exposed plugin endpoint. The vulnerability is not currently listed in the CISA KEV catalog, yet the high severity warrants that administrators pay close attention to the attack surface provided by this plugin.
OpenCVE Enrichment