WordPress Blocksy Companion Stored XSS Vulnerability (CVE-2026-12433) Advisory

漏洞概述 漏洞名称: Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter CVE ID: CVE-2026-12433 CVSS评分: 4.4 (Medium) 发布日期: June 18, 2026 最后更新日期: June 19, 2026 研究人员: Pasindu Dilshan (K4PXD) - HACK KAP (PVT) LTD 影响范围 受影响版本: Blocksy Companion <= 2.1.45 漏洞类型: 存储型跨站脚本（Stored Cross-Site Scripting） 影响描述: Blocksy Companion 插件在 WordPress 中由于输入 sanitization 和输出转义不足，允许经过身份验证的攻击者（具有编辑器及以上权限）在页面中注入任意 web 脚本，当用户访问被注入的页面时执行。此漏洞仅影响多站点安装和未禁用 的安装。 修复方案 修复版本: 更新至 2.1.46 或更高版本 补丁状态: 已修复 其他信息 参考链接: - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org 漏洞详情 软件类型: Plugin 软件 Slug: blocksy-companion (view on wordpress.org) 是否已修复: Yes 修复方法: 更新至 2.1.46 或更高版本 受影响版本: <= 2.1.45 修复版本: 2.1.46 近期漏洞 Blocksy Companion <= 2.1.19 - Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass - CVE ID: CVE-2025-12846 - CVSS评分: 8.8 - 研究人员: shark3y - 日期: November 10, 2025 Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2025-12475 - CVSS评分: 6.4 - 研究人员: Rafishanzani Suhada - 日期: October 6, 2025 Blocksy Companion <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via blocksy_newsletter_subscribe Shortcode - CVE ID: CVE-2025-9565 - CVSS评分: 6.4 - 研究人员: Muhammad Yudha - DJ - 日期: September 16, 2025 Blocksy Companion <= 2.0.42 - Authenticated (Admin+) Server-Side Request Forgery - CVE ID: CVE-2024-35633 - CVSS评分: 5.5 - 研究人员: Yuchen Ji - 日期: May 30, 2024 Blocksy Companion <= 2.0.45 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads - CVE ID: CVE-2024-4487 - CVSS评分: 6.4 - 研究人员: wesley (wcraft) - 日期: May 10, 2024 Blocksy Companion <= 2.0.28 - Cross-Site Request Forgery - CVE ID: CVE-2024-31932 - CVSS评分: 5.3 - 研究人员: R3N0 - 日期: April 10, 2024 Blocksy Companion <= 2.0.31 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2024-2392 - CVSS评分: 6.4 - 研究人员: Ngô Thiên An (ancorn_) - 日期: March 21, 2024 Blocksy Companion <= 1.8.81 - Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode - CVE ID: CVE-2023-1911 - CVSS评分: 4.3 - 研究人员: Erwan LR - 日期: April 10, 2023 Blocksy Companion <= 1.8.67 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2023-23898 - CVSS评分: 6.4 - 研究人员: Rafishanzani Suhada - 日期: January 27, 2023 Freemius SDK <= 2.4.2 - Missing Authorization Checks - CVE ID: CVE-2022-4974 - CVSS评分: 6.3 - 研究人员: - 日期: March 4, 2022 总结 Blocksy Companion 插件在版本 2.1.45 及以下存在存储型跨站脚本漏洞，建议更新至 2.1.46 或更高版本以修复该漏洞。

目標達成 すべての支援者に感謝 — 100%達成しました！

WordPress Blocksy Companion Stored XSS Vulnerability (CVE-2026-12433) Advisory

目標達成すべての支援者に感謝 — 100%達成しました！