Description
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.
Published: 2026-06-26
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to execute arbitrary code on a WordPress site that is running the Blocksy Companion Pro plugin version 2.1.45 or earlier. The flaw is caused by improper handling of user-supplied data that is executed as PHP code, as indicated by the CWE‑94 association with code injection. If exploited, a remote attacker could gain full control of the affected WordPress installation, including the ability to modify files, access sensitive data, or install additional malware.

Affected Systems

The affected product is the Blocksy Companion Pro plugin from Creative Themes. Versions 2.1.45 and below are vulnerable. No other products or versions are listed.

Risk and Exploitability

The CVSS score of 8.5 indicates a high impact severity. EPSS is not available, so the likelihood of exploitation cannot be quantified from the data; the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote via the web interface, as the plugin processes input from HTTP requests that can be crafted to trigger code execution. No additional prerequisites are described, implying that a remote user who can send a specially crafted request to the affected plugin endpoints may exploit the flaw.

Generated by OpenCVE AI on June 26, 2026 at 17:04 UTC.

Remediation

Vendor Solution

Update the WordPress Blocksy Companion Pro Plugin to the latest available version (at least 2.1.46).

OpenCVE Recommended Actions

  • Update the Blocksy Companion Pro Plugin to version 2.1.46 or later.
  • If an immediate update is not possible, deactivate the plugin to remove the vulnerable code paths.
  • Limit access to the plugin’s configuration and administrative pages to trusted users only to reduce the attack surface.

Generated by OpenCVE AI on June 26, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.
Title WordPress Blocksy Companion Pro plugin <= 2.1.45 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:17:10.083Z

Reserved: 2026-06-24T12:44:58.567Z

Link: CVE-2026-57315

cve-icon Vulnrichment

Updated: 2026-06-26T20:17:04.761Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:15:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')