Description
Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blocksy Companion Pro plugin in versions older than 2.1.29 contains an unauthenticated SQL injection flaw that allows users to inject malicious SQL directly into database queries. This vulnerability can enable attackers to read, modify, or delete data stored in the WordPress database. The weakness is classified as CWE‑89. No exploitation of remote code execution is mentioned in the CVE description.

Affected Systems

This vulnerability affects WordPress sites that have the Creative Themes Blocksy Companion Pro plugin installed with a version lower than 2.1.29. Any site using the plugin before the patched release remains at risk.

Risk and Exploitability

The CVSS v3.1 score of 9.3 marks the issue as Critical. EPSS information is not available, so the exact likelihood of exploitation cannot be quantified, but the absence of an authentication barrier means the flaw can be leveraged via a web request to any exposed plugin endpoint. The vulnerability is not currently listed in the CISA KEV catalog, yet the high severity warrants that administrators pay close attention to the attack surface provided by this plugin.

Generated by OpenCVE AI on June 18, 2026 at 14:06 UTC.

Remediation

Vendor Solution

Update the WordPress Blocksy Companion Pro Plugin to the latest available version (at least 2.1.29).


OpenCVE Recommended Actions

  • Upgrade the Blocksy Companion Pro plugin to version 2.1.29 or newer as soon as possible.
  • Ensure the WordPress core and all other plugins and themes are updated to the latest available versions.
  • If the plugin is not required for site functionality, uninstall or deactivate it to eliminate the vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress
Vendors & Products Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions.
Title WordPress Blocksy Companion Pro plugin < 2.1.29 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Creativethemes Blocksy Companion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:32:58.186Z

Reserved: 2026-04-07T10:48:50.116Z

Link: CVE-2026-39596

cve-icon Vulnrichment

Updated: 2026-06-17T12:32:54.198Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')