Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Editor-level authentication (PR:H) and mandatory multisite/unfiltered_html deployment conditions (AC:H) gate all exploitation; stored XSS crosses scope boundary into visitor browsers (S:C), with no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AnalysisAI
Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | All three of the following conditions must be simultaneously true for exploitation to succeed: (1) The attacker must possess a WordPress account with editor-level permissions or higher on the target installation - subscriber and contributor roles are insufficient; (2) The WordPress deployment must be a multisite network (where unfiltered_html is restricted to Super Admins by default) OR the unfiltered_html capability must have been explicitly revoked via plugin, filter, or policy on a single-site install - default single-site installs where editors retain unfiltered_html are NOT affected; (3) The Blocksy Companion plugin must be active with the product-reviews extension enabled and in use. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.4 Medium accurately reflects the compounded exploitation barriers: AC:H captures the mandatory conditional deployment state (multisite or disabled unfiltered_html), and PR:H captures the editor-level authentication floor, which in most WordPress governance models represents a trusted or semi-trusted internal role rather than a publicly accessible account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a compromised or maliciously obtained editor account on a WordPress multisite network navigates to the Blocksy Companion product-reviews extension settings in the admin dashboard and injects a JavaScript payload (e.g., a cookie-stealing script) into an unsanitized settings field. The payload is committed to the WordPress database and begins executing silently in every subsequent visitor's browser when they load an affected product review page, enabling the attacker to harvest session tokens and escalate access without any further interaction. … |
| Remediation | Update the Blocksy Companion plugin to a version beyond 2.1.45 - an upstream fix was committed in WordPress SVN changeset 3576066 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3576066%40blocksy-companion&new=3576066%40blocksy-companion). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Blocksy Companion
View allArbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in
Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated at
The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are alrea
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up t
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widg
Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy Companion.0.28. Rated medium severity (CVSS 5.
Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37989
GHSA-3w47-vpxj-86c8