Description
Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits unauthenticated users to reference objects they should not access, potentially allowing the reading or alteration of data protected by the Blocksy Companion Pro plugin. The inherent weakness is a classic Insecure Direct Object Reference, categorized as CWE‑639, which can lead to information disclosure or integrity compromise if sensitive data becomes accessible.

Affected Systems

Creative Themes Blocksy Companion Pro versions up to and including 2.1.46 are affected. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA KEV. Based on the description, the attack likely requires crafting a URL or request to a protected endpoint, with no specified authentication needed. While the exploitation path is straightforward, the overall risk to systems depends on the sensitivity of the data exposed by the plugin.

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Remediation

Vendor Solution

Update the WordPress Blocksy Companion Pro Plugin to the latest available version (at least 2.1.47).

OpenCVE Recommended Actions

  • Update the Blocksy Companion Pro plugin to version 2.1.47 or newer to eliminate the IDOR flaw.
  • Configure WordPress role‑based access controls to ensure that only administrators can access the plugin’s protected endpoints.
  • Disable the Blocksy Companion Pro plugin in any environment where it is not required, reducing the attack surface.

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.
Title WordPress Blocksy Companion Pro plugin <= 2.1.46 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:16:28.803Z

Reserved: 2026-06-25T08:03:10.451Z

Link: CVE-2026-57630

cve-icon Vulnrichment

Updated: 2026-06-26T20:16:23.595Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key