PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12430 creativethemeshq CVE debrief

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Vendor
creativethemeshq
Product
Blocksy Companion
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-19
Original CVE updated
2026-06-22
Advisory published
2026-06-19
Advisory updated
2026-06-22

Who should care

Administrators of WordPress multi-site installations or installations where unfiltered_html has been disabled and using Blocksy Companion plugin versions up to and including 2.1.45 should prioritize updating to a patched version to prevent potential Stored Cross-Site Scripting attacks.

Technical summary

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings. The vulnerability exists due to insufficient input sanitization and output escaping in versions up to and including 2.1.45. Authenticated attackers with editor-level permissions and above can inject arbitrary web scripts into pages, which execute when a user accesses an injected page. The vulnerability is only exploitable in multi-site installations or where unfiltered_html has been disabled.

Defensive priority

Medium priority due to the requirement for authenticated access with editor-level permissions and the specific conditions required for exploitation (multi-site installations or unfiltered_html disabled).

Recommended defensive actions

  • Update Blocksy Companion plugin to a version beyond 2.1.45.
  • Review and enhance input sanitization and output escaping for admin settings in the plugin.
  • Monitor for suspicious admin activity and injected scripts.
  • Consider disabling unfiltered_html if not required.
  • Regularly update WordPress and plugins.

Evidence notes

The CVE record was published on 2026-06-19T06:17:01.513Z and was last modified on 2026-06-22T16:43:14.450Z. The vulnerability was reported by [email protected]. Multiple references to code reviews and changesets are provided, indicating thorough analysis of the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T06:17:01.513Z and has not been modified since then.