Skip to main content

Blocksy Companion Pro EUVDEUVD-2026-39746

| CVE-2026-57630 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 audit@patchstack.com GHSA-ffhf-8563-gffw
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

AV:N and PR:N confirmed by unauthenticated network exploitation; C:L only as IDOR exposes objects without write access; I:N and A:N as no modification or denial-of-service vector described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:14 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.

AnalysisAI

Unauthenticated IDOR in Blocksy Companion Pro WordPress plugin (versions through 2.1.46) allows remote unauthenticated attackers to access restricted objects by manipulating user-controlled reference keys, resulting in unauthorized information disclosure. The CVSS 5.3 Medium score reflects network-reachable, zero-authentication access (AV:N/AC:L/PR:N/UI:N) but limited confidentiality impact only (C:L/I:N/A:N). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress site running Blocksy Companion Pro
Delivery
Send unauthenticated HTTP request to plugin endpoint
Exploit
Supply manipulated object reference parameter
Execution
Plugin skips authorization check
Impact
Restricted object data returned in response

Vulnerability AssessmentAI

Exploitation No special conditions are required for exploitation: the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote unauthenticated exploitation against any network-accessible WordPress installation running Blocksy Companion Pro version 2.1.46 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates this is remotely exploitable with no authentication, no special conditions, and no user interaction - a dangerous posture that elevates practical exploitability well above what the moderate 5.3 score implies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a Blocksy Companion Pro-powered WordPress site and sends crafted HTTP requests - likely to a REST API endpoint or admin-ajax handler - supplying incremented or enumerated object reference IDs in request parameters. The plugin retrieves and returns the targeted object without verifying the requester's authorization, exposing private or restricted data such as draft content, user-specific settings, or premium configuration objects. …
Remediation Upgrade Blocksy Companion Pro to a version beyond 2.1.46 as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy