Skip to main content

Blocksy Companion EUVDEUVD-2026-37989

| CVE-2026-12430 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 Wordfence GHSA-3w47-vpxj-86c8
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

Editor-level authentication (PR:H) and mandatory multisite/unfiltered_html deployment conditions (AC:H) gate all exploitation; stored XSS crosses scope boundary into visitor browsers (S:C), with no availability impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 06:39 vuln.today
CVE Published
Jun 19, 2026 - 04:31 nvd
MEDIUM 4.4

DescriptionCVE.org

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

AnalysisAI

Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain editor-level WordPress credentials
Delivery
Navigate to Blocksy Companion product-reviews admin settings
Exploit
Inject JavaScript payload into unsanitized settings field
Install
Payload persisted to WordPress database
C2
Victim visits affected product review page
Execute
Malicious script executes in victim browser
Impact
Session token exfiltrated or victim redirected

Vulnerability AssessmentAI

Exploitation All three of the following conditions must be simultaneously true for exploitation to succeed: (1) The attacker must possess a WordPress account with editor-level permissions or higher on the target installation - subscriber and contributor roles are insufficient; (2) The WordPress deployment must be a multisite network (where unfiltered_html is restricted to Super Admins by default) OR the unfiltered_html capability must have been explicitly revoked via plugin, filter, or policy on a single-site install - default single-site installs where editors retain unfiltered_html are NOT affected; (3) The Blocksy Companion plugin must be active with the product-reviews extension enabled and in use. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.4 Medium accurately reflects the compounded exploitation barriers: AC:H captures the mandatory conditional deployment state (multisite or disabled unfiltered_html), and PR:H captures the editor-level authentication floor, which in most WordPress governance models represents a trusted or semi-trusted internal role rather than a publicly accessible account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a compromised or maliciously obtained editor account on a WordPress multisite network navigates to the Blocksy Companion product-reviews extension settings in the admin dashboard and injects a JavaScript payload (e.g., a cookie-stealing script) into an unsanitized settings field. The payload is committed to the WordPress database and begins executing silently in every subsequent visitor's browser when they load an affected product review page, enabling the attacker to harvest session tokens and escalate access without any further interaction. …
Remediation Update the Blocksy Companion plugin to a version beyond 2.1.45 - an upstream fix was committed in WordPress SVN changeset 3576066 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3576066%40blocksy-companion&new=3576066%40blocksy-companion). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37989 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy