Skip to main content

Blocksy Companion Pro CVE-2026-57624

| EUVDEUVD-2026-41278 CRITICAL
Code Injection (CWE-94)
2026-07-02 Patchstack GHSA-f3xf-x8w4-hfx8
10.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Unauthenticated network code injection with no user interaction warrants AV:N/AC:L/PR:N/UI:N; RCE breaching the PHP/OS boundary beyond the plugin justifies S:C and full C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:02 vuln.today

DescriptionCVE.org

Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.

AnalysisAI

Unauthenticated remote code execution affects Creative Themes' Blocksy Companion Pro WordPress plugin in all versions up to and including 2.1.46, allowing remote attackers to inject and execute arbitrary code (CWE-94) without any authentication or user interaction. Rated CVSS 10.0 with a scope-changed vector, this is a maximum-severity flaw reported by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Blocksy Companion Pro ≤2.1.46
Delivery
Send crafted HTTP request to vulnerable endpoint
Exploit
Inject arbitrary PHP code (CWE-94)
Execution
Server evaluates and executes payload
Persist
Deploy web shell / exfiltrate data
Impact
Pivot into hosting environment

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation is possible against network-reachable installations of Blocksy Companion Pro at version 2.1.46 or earlier, per the CVSS vector (AV:N/AC:L/PR:N/UI:N) and the 'Unauthenticated RCE' description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker sends a single crafted HTTP request to a public WordPress site running Blocksy Companion Pro 2.1.46 or earlier, injecting code into a vulnerable plugin parameter that the server evaluates as PHP. With no authentication or user interaction required, the attacker gains arbitrary code execution and can deploy a web shell, exfiltrate the database, or pivot into the hosting environment. …
Remediation Upgrade Blocksy Companion Pro to a release newer than 2.1.46; the exact fixed version is not stated in the provided data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-46-remote-code-execution-rce-vulnerability) and the Creative Themes vendor portal to confirm and apply the latest patched build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations for Blocksy Companion Pro versions ≤2.1.46; implement interim protective controls (WAF rules blocking suspicious requests, network access restrictions, IP whitelisting). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57624 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy