257 matches found
CVE-2026-12430
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...
EUVD-2026-37989
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...
CVE-2026-12430 Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...
CVE-2026-12430
The CVE-2026-12430 entry concerns the Blocksy Companion WordPress plugin (
WordPress Blocksy Companion plugin <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting vulnerability
Authenticated Editor+ Stored Cross-Site Scripting vulnerability discovered by Pasindu Dilshan K4PXD - HACK KAP PVT LTD in WordPress Plugin Blocksy Companion versions = 2.1.45...
EUVD-2026-37605
Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...
EUVD-2026-37589
Unauthenticated SQL Injection in Blocksy Companion Pro 2.1.29 versions...
CVE-2026-40783
Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...
CVE-2026-39596
Unauthenticated SQL Injection in Blocksy Companion Pro 2.1.29 versions...
CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability
Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...
CVE-2026-40783
The CVE concerns WordPress Blocksy Companion Pro plugin, affected at versions
CVE-2026-39596
The CVE covers WordPress Blocksy Companion Pro plugin, vulnerable in versions
CVE-2026-39596 WordPress Blocksy Companion Pro plugin < 2.1.29 - SQL Injection vulnerability
Unauthenticated SQL Injection in Blocksy Companion Pro 2.1.29 versions...
CVE-2026-8365
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...
CVE-2026-8365
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...
CVE-2026-8365 Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...
EUVD-2026-35379
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...
CVE-2026-8365 Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...
CVE-2026-8365
The Blocksy WordPress theme (up to at least 2.1.41) is vulnerable to PHP Object Injection via the blocksy_meta REST API field and the V200 migration. Root cause: blocksy_sanitize_post_meta_options() only blocks '' and does not prevent serialized PHP objects, combined with SearchReplacer::run_recu...
PT-2026-47723
Name of the Vulnerable Software and Affected Versions Blocksy versions prior to 2.1.36 Description Insufficient input sanitization in the blocksy sanitize post meta options function allows authenticated attackers with contributor-level access or higher to store serialized PHP object strings in po...