Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AV:N and PR:N confirmed by unauthenticated network exploitation; C:L only as IDOR exposes objects without write access; I:N and A:N as no modification or denial-of-service vector described.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.
AnalysisAI
Unauthenticated IDOR in Blocksy Companion Pro WordPress plugin (versions through 2.1.46) allows remote unauthenticated attackers to access restricted objects by manipulating user-controlled reference keys, resulting in unauthorized information disclosure. The CVSS 5.3 Medium score reflects network-reachable, zero-authentication access (AV:N/AC:L/PR:N/UI:N) but limited confidentiality impact only (C:L/I:N/A:N). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation: the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote unauthenticated exploitation against any network-accessible WordPress installation running Blocksy Companion Pro version 2.1.46 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates this is remotely exploitable with no authentication, no special conditions, and no user interaction - a dangerous posture that elevates practical exploitability well above what the moderate 5.3 score implies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a Blocksy Companion Pro-powered WordPress site and sends crafted HTTP requests - likely to a REST API endpoint or admin-ajax handler - supplying incremented or enumerated object reference IDs in request parameters. The plugin retrieves and returns the targeted object without verifying the requester's authorization, exposing private or restricted data such as draft content, user-specific settings, or premium configuration objects. … |
| Remediation | Upgrade Blocksy Companion Pro to a version beyond 2.1.46 as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39746
GHSA-ffhf-8563-gffw