Impact
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro plugins versions up to and including 2.1.37 allows an attacker with a WordPress contributor role to execute arbitrary code on the host. The flaw occurs when the plugin fails to properly validate or sanitize data provided by the contributor, leading to the execution of attacker‑supplied code. An exploited instance could compromise the confidentiality, integrity, and availability of the WordPress site, potentially exposing sensitive data, modifying site content, or installing additional malware.
Affected Systems
The affected systems are WordPress sites running Creative Themes’ Blocksy Companion Pro plugin, versions 2.1.37 and earlier. The vulnerability is tied specifically to this plugin and its handling of contributor input.
Risk and Exploitability
The CVSS score of 9.9 categorizes this flaw as critical. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is through the normal WordPress contributor workflow, where a user with contributor permissions uploads malicious payloads via the plugin. Once exploited, code runs with the same privileges as the plugin, enabling full site compromise.
OpenCVE Enrichment