Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable but needs a Contributor account (PR:L) and specific conditions (AC:H); PHP RCE crosses into the host process (S:C) yielding full C/I/A impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.
AnalysisAI
Remote code execution in Blocksy Companion Pro (the premium add-on plugin for the Blocksy WordPress theme) versions 2.1.45 and earlier allows authenticated users holding only the low-privilege Contributor role to inject and execute arbitrary PHP code on the host. The flaw, reported by Patchstack and tracked under CWE-94, carries a CVSS 3.1 base score of 8.5 with a changed scope, meaning successful exploitation can impact components beyond the WordPress application itself. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with at least Contributor-level privileges on the target WordPress site (per CVSS PR:L), so it is not exploitable by fully anonymous internet users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H combines a network attack vector with full confidentiality, integrity, and availability impact and a scope change, producing a high 8.5 score - but two metrics temper real-world urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a Contributor account on a target WordPress site - through self-registration, social engineering, or credential compromise - submits specially crafted content or block/shortcode input that the Blocksy Companion Pro plugin evaluates as PHP, satisfying the high-complexity precondition. The injected code then runs server-side with web-server privileges, enabling webshell installation, data theft, or full site takeover. … |
| Remediation | Upgrade Blocksy Companion Pro to a version newer than 2.1.45 once the vendor releases it; the source data does not include an exact fixed version number, so confirm the patched release directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-45-remote-code-execution-rce-vulnerability?_s_id=cve) and the Blocksy vendor channel before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable Blocksy Companion Pro or restrict Contributor role to only essential, trusted personnel; audit all active Contributor accounts for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39728
GHSA-vj4f-3p4c-m596