Skip to main content

Blocksy Companion Pro

3 CVEs product

Monthly

CVE-2026-57624 CRITICAL Act Now

Unauthenticated remote code execution affects Creative Themes' Blocksy Companion Pro WordPress plugin in all versions up to and including 2.1.46, allowing remote attackers to inject and execute arbitrary code (CWE-94) without any authentication or user interaction. Rated CVSS 10.0 with a scope-changed vector, this is a maximum-severity flaw reported by Patchstack. No public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the trivial exploitability of an unauthenticated RCE makes it a high-priority patching target.

Code Injection RCE Blocksy Companion Pro
NVD VulDB
CVSS 3.1
10.0
EPSS
0.7%
CVE-2026-40783 CRITICAL Act Now

Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. No public exploit identified at time of analysis, but Patchstack has catalogued the issue in its WordPress vulnerability database.

Code Injection RCE Blocksy Companion Pro
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-39596 CRITICAL PATCH Act Now

Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. No public exploit identified at time of analysis, but the vulnerability class and SSDLC profile are highly attractive to automated scanners targeting WordPress.

SQLi Blocksy Companion Pro
NVD
CVSS 3.1
9.3
EPSS
0.4%
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote code execution affects Creative Themes' Blocksy Companion Pro WordPress plugin in all versions up to and including 2.1.46, allowing remote attackers to inject and execute arbitrary code (CWE-94) without any authentication or user interaction. Rated CVSS 10.0 with a scope-changed vector, this is a maximum-severity flaw reported by Patchstack. No public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the trivial exploitability of an unauthenticated RCE makes it a high-priority patching target.

Code Injection RCE Blocksy Companion Pro
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. No public exploit identified at time of analysis, but Patchstack has catalogued the issue in its WordPress vulnerability database.

Code Injection RCE Blocksy Companion Pro
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. No public exploit identified at time of analysis, but the vulnerability class and SSDLC profile are highly attractive to automated scanners targeting WordPress.

SQLi Blocksy Companion Pro
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy