Skip to main content

Blocksy Companion Pro EUVDEUVD-2026-37605

| CVE-2026-40783 CRITICAL
Code Injection (CWE-94)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable WordPress endpoint (AV:N/AC:L), Contributor role required (PR:L), no interaction (UI:N), PHP code execution breaks WordPress app boundary into host (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:12 vuln.today

DescriptionCVE.org

Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.

AnalysisAI

Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor WordPress account
Delivery
Send crafted request to Blocksy Companion Pro endpoint
Exploit
Inject PHP into vulnerable code sink
Execution
Plugin evaluates attacker input
Persist
Execute code as web server user
Impact
Pivot to full WordPress and host takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least the Contributor role on a site where Blocksy Companion Pro <= 2.1.37 is installed and active (PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) shows network-reachable, low-complexity exploitation requiring only low (Contributor) privileges, no user interaction, and a scope change with full CIA impact - a realistic worst case for any multi-author WordPress site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privilege Contributor account on a WordPress site running Blocksy Companion Pro <= 2.1.37, then submits a crafted post, shortcode, or plugin action that injects PHP code into a vulnerable sink. The plugin evaluates the attacker-controlled input on the server, yielding code execution as the web server user and full takeover of the WordPress installation and any co-hosted data.
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data - administrators should upgrade Blocksy Companion Pro to the next release after 2.1.37 as published by Creative Themes and monitor https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-37-remote-code-execution-rce-vulnerability for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running Blocksy Companion Pro 2.1.37 or earlier; review recent access logs for indicators of compromise; document all active Contributor-level WordPress user accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy