cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forblocksy-companion blocksy-companion

Direction: ascending
Jun 07, 2024

Blocksy Companion # CVE-2023-1911

CVE, Research URL

CVE-2023-1911

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
May 02, 2023
Research Description
The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example
Affected versions
max 1.8.82.
Status
vulnerable

Blocksy Companion # CVE-2024-4487

CVE, Research URL

CVE-2024-4487

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
May 14, 2024
Research Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.0.46.
Status
vulnerable

Blocksy Companion # CVE-2024-31932

CVE, Research URL

CVE-2024-31932

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Apr 11, 2024
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy Companion.This issue affects Blocksy Companion: from n/a through 2.0.28.
Affected versions
max 2.0.29.
Status
vulnerable

Blocksy Companion # CVE-2024-35633

CVE, Research URL

CVE-2024-35633

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Jun 03, 2024
Research Description
Server-Side Request Forgery (SSRF) vulnerability in CreativeThemes Blocksy Companion.This issue affects Blocksy Companion: from n/a through 2.0.42.
Affected versions
max 2.0.43.
Status
vulnerable

Blocksy Companion # e8144b41eb577a61483ac7e414c28870598605c2

CVE, Research URL

e8144b41eb577a61483ac7e414c28870598605c2

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Feb 28, 2022
Research Description
Blocksy Companion [blocksy-companion] < 1.8.20 WordPress Blocksy Companion plugin < 1.8.20 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Blocksy Companion plugin (versions < 1.8.20).
Affected versions
max 1.8.20.
Status
vulnerable

Blocksy Companion # CVE-2023-23898

CVE, Research URL

CVE-2023-23898

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Apr 06, 2023
Research Description
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeThemes Blocksy Companion plugin <= 1.8.67 versions.
Affected versions
max 1.8.68.
Status
vulnerable

Blocksy Companion # CVE-2024-2392

CVE, Research URL

CVE-2024-2392

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Mar 22, 2024
Research Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.0.32.
Status
vulnerable
Nov 15, 2024

Blocksy Companion # CVE-2022-4974

CVE, Research URL

CVE-2022-4974

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Oct 16, 2024
Research Description
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions
max 1.8.20.
Status
vulnerable
Oct 11, 2025

Blocksy Companion # CVE-2025-9565

CVE, Research URL

CVE-2025-9565

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Sep 17, 2025
Research Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.1.11.
Status
vulnerable
Nov 10, 2025

Blocksy Companion # CVE-2025-12475

CVE, Research URL

CVE-2025-12475

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Date
Oct 30, 2025
Research Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.1.15.
Status
vulnerable