What is the CVSS score of CVE-2026-8365?

CVE-2026-8365 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of Blocksy theme are affected by CVE-2026-8365?

Blocksy WordPress theme versions 2.1.35 and below allow contributor-level users to gain remote code execution; no public exploit identified at time of analysis.

How to fix or mitigate CVE-2026-8365?

Within 24 hours: Identify all WordPress installations running Blocksy theme and confirm version numbers; catalog sites running version 2.1.35 or lower. Within 7 days: Restrict contributor-level user accounts to critical personnel only; enforce multi-factor authentication for contributors; consider deactivating Blocksy theme if no patch is available from vendor. Within 30 days: Monitor Blocksy security advisories for patch release; deploy patch to all affected sites immediately upon availability; if patch is not released, migrate to alternative WordPress theme.

Blocksy theme CVE-2026-8365

EUVD-2026-35379 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-09 Wordfence

GHSA-r622-c48h-h6qq

PHP Deserialization WordPress RCE

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 09:15 vuln.today

CVE Published

Jun 09, 2026 - 08:29 nvd

HIGH 8.8

DescriptionCVE.org

The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().

Articles & Coverage 2

News 4 New WordPress Vulnerabilities - 4 High Severity Jun 10, 2026 News 4 New WordPress Vulnerabilities - 4 High Severity Jun 09, 2026

AnalysisAI

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain contributor-level WordPress account

Delivery

Submit crafted serialized RaiiPattern via blocksy_meta REST field

Exploit

Payload stored in post meta (sanitizer bypassed)

Install

Admin upgrades Blocksy triggering V200 migration

SearchReplacer @unserialize() instantiates object

Execute

RaiiPattern::__destruct calls call_user_func()

Impact

Arbitrary PHP code execution as web user

Recon

Obtain contributor-level WordPress account

Delivery

Submit crafted serialized RaiiPattern via blocksy_meta REST field

Exploit

Payload stored in post meta (sanitizer bypassed)

Install

Admin upgrades Blocksy triggering V200 migration

SearchReplacer @unserialize() instantiates object

Execute

RaiiPattern::__destruct calls call_user_func()

Impact

Arbitrary PHP code execution as web user

Vulnerability AssessmentAI

Exploitation	Requires an authenticated WordPress account at contributor level or above on a site running the Blocksy theme version ≤ 2.1.35 with the 'blocksy_meta' REST API field writable to that role; the attacker must additionally wait for (or induce) execution of the V200 database migration, which runs during a theme/database upgrade, to trigger the @unserialize() sink in SearchReplacer::run_recursively(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) scoring 8.8 reflects network-reachable, low-complexity exploitation requiring only low privileges, with no user interaction and full confidentiality/integrity/availability impact - appropriate for a contributor-to-RCE chain on a CMS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers or compromises a contributor-level WordPress account on a target site running Blocksy ≤ 2.1.35, then uses the REST API to write a crafted serialized Blocksy\RaiiPattern object into the 'blocksy_meta' post meta field of a draft post - the sanitizer accepts it because the payload contains no '<' or '>' characters. When the site administrator subsequently upgrades Blocksy and the V200 migration executes SearchReplacer::run_recursively(), the @unserialize() call instantiates the attacker's object; on tear-down, RaiiPattern::__destruct() invokes call_user_func() with attacker-supplied arguments, yielding arbitrary PHP execution under the web server account. …
Remediation	Upgrade the Blocksy theme to version 2.1.41 or later, where the fixed code paths (db-search-replacer.php, meta-boxes.php, validator.php, and raii.php) are visible at https://themes.trac.wordpress.org/browser/blocksy/2.1.41/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running Blocksy theme and confirm version numbers; catalog sites running version 2.1.35 or lower. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-8365 vulnerability details – vuln.today

Back

Blocksy theme CVE-2026-8365

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code