WordPress Blocksy Companion Stored XSS Vulnerability (CVE-2026-12433) Advisory

Vulnerability Overview Vulnerability Name: Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter CVE ID: CVE-2026-12433 CVSS Score: 4.4 (Medium) Release Date: June 18, 2026 Last Updated: June 19, 2026 Researchers: Pasindu Dilshan (K4PXD) - HACK KAP (PVT) LTD Impact Scope Affected Versions: Blocksy Companion <= 2.1.45 Vulnerability Type: Stored Cross-Site Scripting (Stored XSS) Impact Description: The Blocksy Companion plugin for WordPress suffers from insufficient input sanitization and output escaping, allowing authenticated attackers (with Editor privileges or higher) to inject arbitrary web scripts into pages. These scripts are executed when users visit the affected pages. This vulnerability only affects multisite installations and installations where is not disabled. Remediation Fixed Version: Update to version 2.1.46 or later Patch Status: Fixed Additional Information Reference Links: - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org Vulnerability Details Software Type: Plugin Software Slug: blocksy-companion (view on wordpress.org) Is Fixed: Yes Remediation Method: Update to version 2.1.46 or later Affected Versions: <= 2.1.45 Fixed Version: 2.1.46 Recent Vulnerabilities Blocksy Companion <= 2.1.19 - Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass - CVE ID: CVE-2025-12846 - CVSS Score: 8.8 - Researcher: shark3y - Date: November 10, 2025 Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2025-12475 - CVSS Score: 6.4 - Researcher: Rafishanzani Suhada - Date: October 6, 2025 Blocksy Companion <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via blocksy_newsletter_subscribe Shortcode - CVE ID: CVE-2025-9565 - CVSS Score: 6.4 - Researcher: Muhammad Yudha - DJ - Date: September 16, 2025 Blocksy Companion <= 2.0.42 - Authenticated (Admin+) Server-Side Request Forgery - CVE ID: CVE-2024-35633 - CVSS Score: 5.5 - Researcher: Yuchen Ji - Date: May 30, 2024 Blocksy Companion <= 2.0.45 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads - CVE ID: CVE-2024-4487 - CVSS Score: 6.4 - Researcher: wesley (wcraft) - Date: May 10, 2024 Blocksy Companion <= 2.0.28 - Cross-Site Request Forgery - CVE ID: CVE-2024-31932 - CVSS Score: 5.3 - Researcher: R3N0 - Date: April 10, 2024 Blocksy Companion <= 2.0.31 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2024-2392 - CVSS Score: 6.4 - Researcher: Ngô Thiên An (ancorn_) - Date: March 21, 2024 Blocksy Companion <= 1.8.81 - Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode - CVE ID: CVE-2023-1911 - CVSS Score: 4.3 - Researcher: Erwan LR - Date: April 10, 2023 Blocksy Companion <= 1.8.67 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2023-23898 - CVSS Score: 6.4 - Researcher: Rafishanzani Suhada - Date: January 27, 2023 Freemius SDK <= 2.4.2 - Missing Authorization Checks - CVE ID: CVE-2022-4974 - CVSS Score: 6.3 - Researcher: - Date: March 4, 2022 Summary The Blocksy Companion plugin version 2.1.45 and below contains a Stored Cross-Site Scripting (Stored XSS) vulnerability. It is recommended to update to version 2.1.46 or later to remediate this issue.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Blocksy Companion Stored XSS Vulnerability (CVE-2026-12433) Advisory