CVE-2026-39596 Creative Themes CVE debrief

Who should care

Administrators and users of the Blocksy Companion Pro plugin, especially those using versions before 2.1.29, should be aware of this vulnerability and take necessary actions to secure their installations. WordPress users, security teams, and IT professionals should also be informed about this critical vulnerability.

Technical summary

The CVE-2026-39596 vulnerability is an unauthenticated SQL injection issue in the Blocksy Companion Pro plugin. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L, indicating a high impact on confidentiality and a moderate attack complexity. The weakness is classified as CWE-89, which is related to improper neutralization of special elements used in an SQL command.

Defensive priority

critical

Recommended defensive actions

• Update the Blocksy Companion Pro plugin to version 2.1.29 or later.
• Implement a Web Application Firewall (WAF) to detect and prevent SQL injection attacks.
• Regularly monitor plugin and theme updates for known vulnerabilities.
• Use strong passwords and limit login attempts to prevent unauthorized access.
• Perform regular security audits and vulnerability assessments.
• Consider using a security plugin or service to monitor and protect your WordPress installation.

Evidence notes

The information provided is based on the NVD and CVE records, which are considered reliable sources for vulnerability information. The vulnerability is reported by Patchstack, a known security research firm. However, some details, such as the vendor and product information, are not confirmed.

Official resources