Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N/AC:L), Contributor role required (PR:L), no interaction (UI:N), PHP code execution breaks WordPress app boundary into host (S:C) with full CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.
AnalysisAI
Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at least the Contributor role on a site where Blocksy Companion Pro <= 2.1.37 is installed and active (PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) shows network-reachable, low-complexity exploitation requiring only low (Contributor) privileges, no user interaction, and a scope change with full CIA impact - a realistic worst case for any multi-author WordPress site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privilege Contributor account on a WordPress site running Blocksy Companion Pro <= 2.1.37, then submits a crafted post, shortcode, or plugin action that injects PHP code into a vulnerable sink. The plugin evaluates the attacker-controlled input on the server, yielding code execution as the web server user and full takeover of the WordPress installation and any co-hosted data. |
| Remediation | Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data - administrators should upgrade Blocksy Companion Pro to the next release after 2.1.37 as published by Creative Themes and monitor https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-37-remote-code-execution-rce-vulnerability for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations running Blocksy Companion Pro 2.1.37 or earlier; review recent access logs for indicators of compromise; document all active Contributor-level WordPress user accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Blocksy Companion Pro
View allUnauthenticated remote code execution affects Creative Themes' Blocksy Companion Pro WordPress plugin in all versions up
Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to versio
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37605