PatchSiren cyber security CVE debrief
CVE-2026-12430 creativethemeshq CVE debrief
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Vendor
- creativethemeshq
- Product
- Blocksy Companion
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-19
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-19
- Advisory updated
- 2026-06-22
Who should care
Administrators of WordPress multi-site installations or installations where unfiltered_html has been disabled and using Blocksy Companion plugin versions up to and including 2.1.45 should prioritize updating to a patched version to prevent potential Stored Cross-Site Scripting attacks.
Technical summary
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings. The vulnerability exists due to insufficient input sanitization and output escaping in versions up to and including 2.1.45. Authenticated attackers with editor-level permissions and above can inject arbitrary web scripts into pages, which execute when a user accesses an injected page. The vulnerability is only exploitable in multi-site installations or where unfiltered_html has been disabled.
Defensive priority
Medium priority due to the requirement for authenticated access with editor-level permissions and the specific conditions required for exploitation (multi-site installations or unfiltered_html disabled).
Recommended defensive actions
- Update Blocksy Companion plugin to a version beyond 2.1.45.
- Review and enhance input sanitization and output escaping for admin settings in the plugin.
- Monitor for suspicious admin activity and injected scripts.
- Consider disabling unfiltered_html if not required.
- Regularly update WordPress and plugins.
Evidence notes
The CVE record was published on 2026-06-19T06:17:01.513Z and was last modified on 2026-06-22T16:43:14.450Z. The vulnerability was reported by [email protected]. Multiple references to code reviews and changesets are provided, indicating thorough analysis of the vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T06:17:01.513Z and has not been modified since then.