CVE-2026-57624: WordPress Blocksy Companion Pro plugin <= 2.1.46 - Remote Code Execution (RCE) vulnerability
Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
Metrics
- CVSS v3.1
- 10.0
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated remote code execution vulnerability affects the Blocksy Companion Pro WordPress plugin at version 2.1.46 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, allowing a remote attacker to execute arbitrary code on the host running the affected plugin. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. No fix version has been published yet; HarborGuard tracks the upstream advisory and will surface a patched-image rebuild the moment one becomes available.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Blocksy Companion Pro plugin. Any image carrying an affected version of the plugin is flagged immediately.
AvailableHarborGuard is capable of scoring this finding at CVSS 10.0 (Critical) and weighting it against each customer environment's compliance policy to determine urgency and routing. Triage results are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-evaluates the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Creative Themes ships a remediated release. Until then, customers can apply compensating controls such as network-policy isolation to restrict external access to WordPress endpoints exposed by the plugin.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; the affected plugin endpoint is exposed via HTTP/HTTPS with no network-level restriction implied by the vulnerability itself.
- AuthenticationNot required
No account or session token is needed; the attacker can trigger the vulnerability as a completely unauthenticated HTTP client.
- Victim interactionNot required
No user action is required; the attacker sends a crafted request directly to the server without involving any logged-in user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.
Blast Radius
- Executes arbitrary operating system commands or code in the context of the web server process, giving the attacker a foothold on the host.
- Reads any file accessible to the web server user, including WordPress configuration files containing database credentials and secret keys.
- Writes or modifies files on the server, enabling backdoor installation, defacement, or supply-chain tampering of served content.
- Crashes or degrades the web server process, taking the affected WordPress site offline.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active across all connected registries and CI pipelines, flagging any image that bundles Blocksy Companion Pro at or below version 2.1.46 as a Critical finding. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Creative Themes publishes a remediated release. For customers with auto-remediation enabled, that flow includes a regression-test run and a PR opened against affected workloads. In the interim, recommended compensating controls include applying Kubernetes network policies or WAF rules to block unauthenticated external access to the WordPress REST API and plugin-registered endpoints, disabling or removing the Blocksy Companion Pro plugin from images where it is not strictly required, and using egress filtering to limit outbound connections from the web server container in case of a breach.
- Creative Themes / Blocksy Companion Pro≤ 2.1.46
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H