Vulnerabilities and security researches forblocksy-companion blocksy-companion

Direction: ascending

Jun 07, 2024

Blocksy Companion # CVE-2023-1911

CVE, Research URL: CVE-2023-1911
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: May 02, 2023
Research Description: The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example
Affected versions: max 1.8.82.
Status: vulnerable

Blocksy Companion # CVE-2024-4487

CVE, Research URL: CVE-2024-4487
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: May 14, 2024
Research Description: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.0.46.
Status: vulnerable

Blocksy Companion # CVE-2024-31932

CVE, Research URL: CVE-2024-31932
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Apr 11, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy Companion.This issue affects Blocksy Companion: from n/a through 2.0.28.
Affected versions: max 2.0.29.
Status: vulnerable

Blocksy Companion # CVE-2024-35633

CVE, Research URL: CVE-2024-35633
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Jun 03, 2024
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Creative Themes Blocksy Companion blocksy-companion.This issue affects Blocksy Companion: from n/a through <= 2.0.42.
Affected versions: max 2.0.43.
Status: vulnerable

Blocksy Companion # e8144b41eb577a61483ac7e414c28870598605c2

CVE, Research URL: e8144b41eb577a61483ac7e414c28870598605c2
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Feb 28, 2022
Research Description: Blocksy Companion [blocksy-companion] < 1.8.20 WordPress Blocksy Companion plugin < 1.8.20 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Blocksy Companion plugin (versions < 1.8.20).
Affected versions: max 1.8.20.
Status: vulnerable

Blocksy Companion # CVE-2023-23898

CVE, Research URL: CVE-2023-23898
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Apr 06, 2023
Research Description: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeThemes Blocksy Companion plugin <= 1.8.67 versions.
Affected versions: max 1.8.68.
Status: vulnerable

Blocksy Companion # CVE-2024-2392

CVE, Research URL: CVE-2024-2392
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Mar 22, 2024
Research Description: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.0.32.
Status: vulnerable

Nov 15, 2024

Blocksy Companion # CVE-2022-4974

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 1.8.20.
Status: vulnerable

Oct 11, 2025

Blocksy Companion # CVE-2025-9565

CVE, Research URL: CVE-2025-9565
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Sep 17, 2025
Research Description: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.1.11.
Status: vulnerable

Nov 10, 2025

Blocksy Companion # CVE-2025-12475

CVE, Research URL: CVE-2025-12475
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Oct 30, 2025
Research Description: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.1.15.
Status: vulnerable

Dec 11, 2025

Blocksy Companion # CVE-2025-12846

CVE, Research URL: CVE-2025-12846
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Nov 11, 2025
Research Description: The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 2.1.20.
Status: vulnerable

Jun 13, 2026

Blocksy Companion # CVE-2023-33999

CVE, Research URL: CVE-2023-33999
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Jun 11, 2026
Research Description: Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Affected versions: max 1.8.47.
Status: vulnerable

Jun 16, 2026

Blocksy Companion # 6d8910c719b2a132ec93828cd37e418b19cac960

CVE, Research URL: 6d8910c719b2a132ec93828cd37e418b19cac960
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Mar 04, 2022
Research Description: Blocksy Companion [blocksy-companion] < 1.8.20 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 1.8.20.
Status: vulnerable

Blocksy Companion # cea4647401ea11145b56dc8bbe1a8384d9c322db

CVE, Research URL: cea4647401ea11145b56dc8bbe1a8384d9c322db
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Feb 28, 2022
Research Description: Blocksy Companion [blocksy-companion] < 1.8.20 WordPress Blocksy Companion plugin < 1.8.20 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress Blocksy Companion plugin (versions < 1.8.20).
Affected versions: max 1.8.20.
Status: vulnerable

Blocksy Companion # 096cb4bb1ad75181ea7ecfd5c16d103004604663

CVE, Research URL: 096cb4bb1ad75181ea7ecfd5c16d103004604663
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Oct 06, 2025
Research Description: Blocksy Companion [blocksy-companion] < 2.1.15 Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.1.15.
Status: vulnerable

Jun 20, 2026

Blocksy Companion # CVE-2026-12430

CVE, Research URL: CVE-2026-12430
Home page URL: Security reports for Blocksy Companion
Application: Blocksy Companion
Date: Jun 19, 2026
Research Description: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 2.1.46.
Status: vulnerable