CVE-2026-40783 Creative Themes CVE debrief

Who should care

WordPress site administrators using Blocksy Companion Pro plugin versions <= 2.1.37 should be aware of this critical vulnerability. Immediate action is required to prevent potential remote code execution attacks.

Technical summary

CVE-2026-40783 is a remote code execution (RCE) vulnerability in Blocksy Companion Pro plugin versions <= 2.1.37. The vulnerability has a CVSS score of 9.9 and is considered critical. It allows a contributor to execute remote code, potentially leading to full site compromise. The vulnerability is caused by insufficient input validation and sanitization.

Defensive priority

high

Recommended defensive actions

• Update Blocksy Companion Pro to a patched version (>= 2.1.38) immediately.
• Limit contributor privileges on WordPress sites.
• Regularly monitor WordPress sites for suspicious activity.
• Implement a Web Application Firewall (WAF) to detect and prevent RCE attacks.
• Use secure protocols for data transmission and storage.
• Keep all WordPress plugins and themes up-to-date.

Evidence notes

The vulnerability was reported by Patchstack and published on their website. The CVE record was created on June 17, 2026, and the NVD detail page was also updated on the same day. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Official resources