How is CVE-2026-40783 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach it from the internet or any network path to the WordPress installation without needing local or physical access. Authentication (required): A low-privilege WordPress account (contributor role or equivalent) is sufficient; no administrative credentials are needed. Victim interaction (not-required): No user action or social-engineering step is needed; the attacker can trigger the vulnerability directly against the application. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-40783?

The attacker executes arbitrary code in the context of the web server process, gaining direct control over the server environment. Because the CVSS scope is Changed, the attacker can break out of the WordPress application boundary and affect the underlying host or co-located services. Confidential data stored on the server, including database credentials, environment variables, and stored user content, is fully readable. The attacker can write, modify, or delete files and database records, and can crash or disrupt the affected service.

Back to search

CRITICALCVE-2026-40783Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40783: WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability

Q: What is CVE-2026-40783?

This is a remote code execution vulnerability in the Blocksy Companion Pro WordPress plugin (versions 2.1.37 and earlier). It is reachable over the network and requires only a low-privilege (contributor-level) WordPress account to exploit, with no victim interaction needed. Successful exploitation gives an attacker full code execution on the host server, and the scope extends beyond the WordPress application itself. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a patch.

Q: Is CVE-2026-40783 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream package feeds on every ingest cycle; a patched-image rebuild will become available automatically the moment a remediated release is published. In the interim, customers with network-policy controls or WAF rules can apply compensating controls surfaced in the HarborGuard remediation panel.

Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a remote code execution vulnerability in the Blocksy Companion Pro WordPress plugin (versions 2.1.37 and earlier). It is reachable over the network and requires only a low-privilege (contributor-level) WordPress account to exploit, with no victim interaction needed. Successful exploitation gives an attacker full code execution on the host server, and the scope extends beyond the WordPress application itself. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a patch.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle Blocksy Companion Pro.

Available

Triage

HarborGuard scores this finding at CVSS 9.9 Critical and weights it further against each environment's compliance policy to determine breach-of-threshold severity routing. Findings meeting or exceeding the Critical threshold are dispatched to the appropriate team inbox within each customer org without manual intervention.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream package feeds on every ingest cycle; a patched-image rebuild will become available automatically the moment a remediated release is published. In the interim, customers with network-policy controls or WAF rules can apply compensating controls surfaced in the HarborGuard remediation panel.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach it from the internet or any network path to the WordPress installation without needing local or physical access.
AuthenticationRequired
A low-privilege WordPress account (contributor role or equivalent) is sufficient; no administrative credentials are needed.
Victim interactionNot required
No user action or social-engineering step is needed; the attacker can trigger the vulnerability directly against the application.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

The attacker executes arbitrary code in the context of the web server process, gaining direct control over the server environment.
Because the CVSS scope is Changed, the attacker can break out of the WordPress application boundary and affect the underlying host or co-located services.
Confidential data stored on the server, including database credentials, environment variables, and stored user content, is fully readable.
The attacker can write, modify, or delete files and database records, and can crash or disrupt the affected service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40783 is active across all connected registries and pipelines, matching any image that packages Blocksy Companion Pro at or below version 2.1.37. Because no upstream patch exists today, HarborGuard monitors the Patchstack advisory and the plugin's release feed on every ingest cycle and will trigger a patched-image rebuild automatically the moment a remediated version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual steps required. While awaiting an upstream fix, the HarborGuard remediation panel surfaces compensating-control recommendations including network-policy isolation to restrict contributor-role access paths, WAF rule deployment to block known payload patterns against the affected endpoint, and feature-flag or plugin-disable options where the WordPress environment permits. For environments with auto-remediation enabled, median time from patch publication to a merged PR for Critical-severity issues is around 90 minutes.

See how HarborGuard automates this

Affected packages

Creative Themes / Blocksy Companion Pro
≤ 2.1.37

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified