Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi (AV:N/AC:L/PR:N/UI:N); scope changes as DB engine acts on attacker input (S:C); full DB read (C:H), limited write via INSERT/UPDATE chains (I:L), no inherent availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions.
AnalysisAI
Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target site must have Blocksy Companion Pro installed and activated at any version below 2.1.29, and the vulnerable HTTP endpoint (admin-ajax action or REST route registered by the plugin) must be reachable from the attacker's network position - which is the WordPress default since admin-ajax.php and /wp-json/ are exposed to anonymous users out of the box. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is high in practice: CVSS 9.3 reflects network-reachable, low-complexity exploitation with no privileges and no user interaction (AV:N/AC:L/PR:N/UI:N), which matches the description's 'Unauthenticated' wording - these signals are consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a site running Blocksy Companion Pro (fingerprintable via the /wp-content/plugins/blocksy-companion-pro/ asset path) and sends a crafted HTTP request to the vulnerable plugin endpoint with a SQL payload in an unsanitized parameter, exfiltrating wp_users password hashes and the WordPress auth secret keys from wp_options via UNION-based or time-based injection. The hashes are cracked offline or the secrets are used to forge a logged-in administrator cookie, after which the attacker uploads a malicious plugin or theme to obtain RCE. … |
| Remediation | Vendor-released patch: upgrade Blocksy Companion Pro to version 2.1.29 or later via the Creative Themes account dashboard or the plugin's built-in license-bound updater, as indicated by the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-29-sql-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress environments to identify Blocksy Companion Pro installations and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Blocksy Companion Pro
View allUnauthenticated remote code execution affects Creative Themes' Blocksy Companion Pro WordPress plugin in all versions up
Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37589