cleantalk
Vulnerabilities and Security Researches

Blocksy, CVE-2026-2583

CVE, Research URL

CVE-2026-2583

Home page URL

Security reports for Blocksy

Application

Blocksy

Published on
Mar 03, 2026
Research Description
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.1.31.
Status
vulnerable
Previous vulnerability researches
Migration, Backup, Staging – WPvivid (CVE-2022-27844) , Jun 07, 2024
Migration, Backup, Staging – WPvivid (CVE-2021-24994) , Jun 07, 2024
Migration, Backup, Staging – WPvivid (CVE-2022-2442) , Jun 07, 2024
Migration, Backup, Staging – WPvivid (CVE-2022-2863) , Jun 07, 2024
Migration, Backup, Staging – WPvivid (CVE-2022-0531) , Jun 07, 2024
New vulnerability
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX (CVE-2026-1273) , Apr 15, 2026
PDF Invoices & Packing Slips for WooCommerce (CVE-2026-1906) , Apr 15, 2026
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin (CVE-2026-4109) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-2126) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-0913) , Apr 15, 2026