cleantalk
Vulnerabilities and Security Researches

Blocksy Companion, CVE-2024-4487

CVE, Research URL

CVE-2024-4487

Home page URL

Security reports for Blocksy Companion

Application

Blocksy Companion

Published on
May 14, 2024
Research Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.0.46.
Status
vulnerable
Previous vulnerability researches
Blocksy Companion (CVE-2022-4974) , Nov 15, 2024
Blocksy Companion (CVE-2025-9565) , Oct 11, 2025
Blocksy Companion (CVE-2025-12475) , Nov 10, 2025
Blocksy Companion (CVE-2023-1911) , Jun 07, 2024
Blocksy Companion (CVE-2024-4487) , Jun 07, 2024
New vulnerability
百度站长SEO合集(支持百度/神马/Bing/头条推送) (CVE-2025-62977) , Nov 11, 2025
WP jQuery Pager (CVE-2025-10575) , Nov 11, 2025
DELUCKS SEO (CVE-2025-49376) , Nov 11, 2025
B Carousel Block – Create stunning responsive carousels effortlessly (CVE-2025-12388) , Nov 11, 2025
Stock Snapshot for WooCommerce (CVE-2025-10167) , Nov 11, 2025