Skip to main content

Blocksy Companion Pro CVE-2026-57315

| EUVDEUVD-2026-39728 HIGH
Code Injection (CWE-94)
2026-06-26 audit@patchstack.com GHSA-vj4f-3p4c-m596
8.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Network-reachable but needs a Contributor account (PR:L) and specific conditions (AC:H); PHP RCE crosses into the host process (S:C) yielding full C/I/A impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:53 vuln.today

DescriptionCVE.org

Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.

AnalysisAI

Remote code execution in Blocksy Companion Pro (the premium add-on plugin for the Blocksy WordPress theme) versions 2.1.45 and earlier allows authenticated users holding only the low-privilege Contributor role to inject and execute arbitrary PHP code on the host. The flaw, reported by Patchstack and tracked under CWE-94, carries a CVSS 3.1 base score of 8.5 with a changed scope, meaning successful exploitation can impact components beyond the WordPress application itself. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account
Delivery
Craft malicious block/shortcode input
Exploit
Submit to plugin code sink
Execution
Trigger PHP code injection
Persist
Execute arbitrary code as web server
Impact
Full site compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with at least Contributor-level privileges on the target WordPress site (per CVSS PR:L), so it is not exploitable by fully anonymous internet users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H combines a network attack vector with full confidentiality, integrity, and availability impact and a scope change, producing a high 8.5 score - but two metrics temper real-world urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a Contributor account on a target WordPress site - through self-registration, social engineering, or credential compromise - submits specially crafted content or block/shortcode input that the Blocksy Companion Pro plugin evaluates as PHP, satisfying the high-complexity precondition. The injected code then runs server-side with web-server privileges, enabling webshell installation, data theft, or full site takeover. …
Remediation Upgrade Blocksy Companion Pro to a version newer than 2.1.45 once the vendor releases it; the source data does not include an exact fixed version number, so confirm the patched release directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-45-remote-code-execution-rce-vulnerability?_s_id=cve) and the Blocksy vendor channel before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable Blocksy Companion Pro or restrict Contributor role to only essential, trusted personnel; audit all active Contributor accounts for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy