cleantalk
Vulnerabilities and Security Researches

Blocksy Companion, CVE-2026-12430

CVE, Research URL

CVE-2026-12430

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Published on
Jun 19, 2026
Research Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 2.1.46.
Status
vulnerable
Previous vulnerability researches
Admin SMS Alert (CVE-2024-51637) , Nov 05, 2024
New vulnerability
Offload, AI & Optimize with Cloudflare Images (CVE-2026-9860) , Jun 20, 2026
Royal Elementor Addons and Templates (CVE-2026-8118) , Jun 20, 2026
Bogo (CVE-2026-9013) , Jun 20, 2026
Ocean Product Sharing (CVE-2026-56007) , Jun 20, 2026
User Admin Simplifier (CVE-2026-11775) , Jun 20, 2026