CVE-2026-39596: WordPress Blocksy Companion Pro plugin < 2.1.29 - SQL Injection vulnerability
Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- 2.1.29
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection in the Blocksy Companion Pro WordPress plugin (versions before 2.1.29) allows an unauthenticated remote attacker to send crafted HTTP requests directly to the vulnerable endpoint without any login or session. Exploitation gives the attacker read access to database contents and can partially disrupt service availability. A patched-image rebuild at version 2.1.29 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built WordPress images that bundle this plugin.
AvailableHarborGuard scores this CVE at CVSS 9.3 Critical and weights it against each environment's configured compliance policy, then routes the finding to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild at Blocksy Companion Pro 2.1.29 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, the rebuild is followed by an automated regression test run and a PR opened against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed, making any internet-exposed or internally networked instance a viable target.
- AuthenticationNot required
No account, session token, or privilege level is needed; the vulnerable endpoint accepts and processes malicious SQL payloads from anonymous requests.
- Victim interactionNot required
The attacker sends crafted requests directly to the service; no user action such as clicking a link or opening a file is involved.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, specific memory layout, or environmental prerequisite is required to trigger the injection.
Blast Radius
- The attacker can read arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), session tokens, and any customer or order records held in the database.
- Scope is marked Changed in the CVSS vector, meaning the injected queries can reach data outside the plugin's own tables and affect other components sharing the database instance.
- Availability impact is rated Low, meaning the attacker can cause partial service disruption, such as resource exhaustion from expensive injected queries, without a full crash.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any scanned image that packages Blocksy Companion Pro below 2.1.29. Given the Critical severity (CVSS 9.3) and the absence of any authentication barrier, this CVE is prioritized at the top of the finding queue and weighted against each environment's compliance policy before routing. For customers who opt into auto-remediation, HarborGuard makes a rebuilt image at version 2.1.29 available, runs regression tests against it, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding appears in the team inbox with full remediation context attached.
Fix available
- Creative Themes / Blocksy Companion Pro< 2.1.29 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L