6 matches found
CVE-2023-1911
Blocksy Companion (WordPress plugin by Creative Themes) before 1.8.82 contains an authorization flaw: posts accessible via a shortcode are not confirmed public, allowing any authenticated user (e.g., subscribers) to view draft content. This exposes draft posts to users who should not have access....
CVE-2024-31932
CVE-2024-31932 applies to Blocksy Companion: Cross-Site Request Forgery (CSRF) vulnerability in Blocksy Companion up to version 2.0.28. The issue has a CVSS v3.1 score of 8.8 (High) with network attack vector, no privileges required, user interaction needed, and impacts to confidentiality, integr...
CVE-2024-2392
CVE-2024-2392 affects Blocksy Companion for WordPress; versions up to and including 2.0.31 are vulnerable to Stored XSS via the Newsletter widget due to insufficient input sanitization/escaping. Exploitation requires Contributor+ authenticated access; impact is arbitrary script injection in pages...
CVE-2023-23898
CVE-2023-23898 is a stored XSS in the CreativeThemes Blocksy Companion WordPress plugin up to version 1.8.67. The root cause is improper escaping/validation of the class attribute in the blocksy_posts shortcode output, exploitable by users with Contributor+ permissions. Impact is stored XSS; CVSS...
CVE-2024-35633
CVE-2024-35633 is a Server-Side Request Forgery (SSRF) vulnerability in CreativeThemes Blocksy Companion for WordPress, affecting Blocksy Companion versions up to 2.0.42. The affected condition requires Administrator-level access; the issue is exploitable via network-based vectors and impacts con...
CVE-2024-4487
CVE-2024-4487 affects Blocksy Companion for WordPress. The vulnerability is a Stored Cross-Site Scripting via SVG uploads in Blocksy Companion versions up to and including 2.0.45, caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access at contribu...