cbcvebase.

Creativethemeshq Blocksy Companion vulnerabilities

7 known vulnerabilities affecting creativethemeshq/blocksy_companion.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
HIGH1MEDIUM6

Vulnerabilities

Page 1 of 1
CVE-2022-4974P2MEDIUMCVSS 6.3Exploitedfixed in 1.8.202024-10-16
CVE-2022-4974 [MEDIUM] CWE-862 CVE-2022-4974: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cr The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme runni
nvd
CVE-2025-12846P2HIGHCVSS 8.8≤ 2.1.192025-11-11
CVE-2025-12846 [HIGH] CWE-434 CVE-2025-12846: The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in a The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated att
nvd
CVE-2025-9565P4MEDIUMCVSS 6.4≤ 2.1.102025-09-17
CVE-2025-9565 [MEDIUM] CWE-79 CVE-2025-9565: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plug The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level ac
nvd
CVE-2025-12475P4MEDIUMCVSS 6.4≤ 2.1.142025-10-30
CVE-2025-12475 [MEDIUM] CWE-79 CVE-2025-12475: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plug The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-leve
nvd
CVE-2024-4487P4MEDIUMCVSS 5.4≤ 2.0.452024-05-14
CVE-2024-4487 [MEDIUM] CWE-79 CVE-2024-4487: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uplo The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will
nvd
CVE-2024-2392P4MEDIUMCVSS 5.4≤ 2.0.312024-03-22
CVE-2024-2392 [MEDIUM] CWE-79 CVE-2024-2392: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plug The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to
nvd
CVE-2026-12430P4MEDIUMCVSS 4.4≤ 2.1.452026-06-19
CVE-2026-12430 [MEDIUM] CWE-79 CVE-2026-12430: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin se The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that w
nvd
Creativethemeshq Blocksy Companion vulnerabilities | cvebase