Description
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().
Published: 2026-06-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blocksy theme for WordPress allows an attacker with contributor level or higher to submit a serialized PHP object through the 'blocksy_meta' REST API field. Because the input sanitization routine only removes '<' and '>' characters, serialized object strings are stored without restriction. During the V200 database migration, all string values are unserialized unconditionally, enabling the injected <Blocksy\RaiiPattern> object to call its __destruct() method, which then executes arbitrary callables via call_user_func(). This flaw can be leveraged to run arbitrary PHP code on the host, leading to full remote compromise of the affected WordPress installation.

Affected Systems

Versions of the Blocksy theme up to and including 2.1.35, developed by creativethemeshq, are vulnerable. The weakness resides in the handling of the 'blocksy_meta' REST API field and the database migration logic that processes post meta entries.

Risk and Exploitability

The CVSS score of 8.8 signals high severity. While EPSS data is not available and the flaw is not listed in the CISA KEV catalog, the risk remains significant due to the authentication requirement: an attacker must obtain or compromise a contributor‑level account. Once authenticated, they can inject the malicious serialized object and trigger the deserialization chain, resulting in remote code execution.

Generated by OpenCVE AI on June 9, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blocksy theme to the latest released version that removes the vulnerable deserialization logic.
  • Disable or restrict access to the 'blocksy_meta' REST API endpoint so that only trusted administrators can use it.
  • If an immediate upgrade is not possible, implement a custom sanitization filter that rejects any PHP‑serialized object strings before they are written to post meta.

Generated by OpenCVE AI on June 9, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Creativethemes
Creativethemes blocksy
Wordpress
Wordpress wordpress
Vendors & Products Creativethemes
Creativethemes blocksy
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().
Title Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Creativethemes Blocksy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T12:56:15.813Z

Reserved: 2026-05-11T19:25:24.123Z

Link: CVE-2026-8365

cve-icon Vulnrichment

Updated: 2026-06-09T12:56:09.369Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T09:16:31.013

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses