Description
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Contributor Remote Code Execution (RCE) in Blocksy Companion Pro plugins versions up to and including 2.1.37 allows an attacker with a WordPress contributor role to execute arbitrary code on the host. The flaw occurs when the plugin fails to properly validate or sanitize data provided by the contributor, leading to the execution of attacker‑supplied code. An exploited instance could compromise the confidentiality, integrity, and availability of the WordPress site, potentially exposing sensitive data, modifying site content, or installing additional malware.

Affected Systems

The affected systems are WordPress sites running Creative Themes’ Blocksy Companion Pro plugin, versions 2.1.37 and earlier. The vulnerability is tied specifically to this plugin and its handling of contributor input.

Risk and Exploitability

The CVSS score of 9.9 categorizes this flaw as critical. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is through the normal WordPress contributor workflow, where a user with contributor permissions uploads malicious payloads via the plugin. Once exploited, code runs with the same privileges as the plugin, enabling full site compromise.

Generated by OpenCVE AI on June 18, 2026 at 14:03 UTC.

Remediation

Vendor Solution

Update the WordPress Blocksy Companion Pro Plugin to the latest available version (at least 2.1.38).


OpenCVE Recommended Actions

  • Update the Blocksy Companion Pro plugin to version 2.1.38 or newer.
  • If an immediate update is not possible, temporarily delete or deactivate the plugin until the patch is applied.
  • Remove or temporarily disable contributor permissions until the vulnerability is patched.

Generated by OpenCVE AI on June 18, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress
Vendors & Products Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.
Title WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Creativethemes Blocksy Companion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:31:43.137Z

Reserved: 2026-04-15T09:20:42.117Z

Link: CVE-2026-40783

cve-icon Vulnrichment

Updated: 2026-06-17T12:31:33.927Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')