HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-8365Published Modified CNA Wordfence

CVE-2026-8365: Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field

The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

PHP Object Injection via unsafe deserialization affects the Blocksy WordPress theme (versions up to and including 2.1.41). The vulnerability is reachable over the network by any authenticated user holding a contributor-level account or higher, requiring no victim interaction. Successful exploitation triggers remote code execution on the WordPress host through a chained gadget that fires during a database migration routine. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-8365 is ingested from upstream feeds, including the Wordfence advisory feed, within minutes of publication and matched against customer images in connected registries and CI pipelines. Coverage extends to custom-built images that bundle the Blocksy theme directly.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 HIGH (v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

No fix version has been published upstream for CVE-2026-8365. HarborGuard re-checks the Wordfence and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The WordPress REST API endpoint that accepts the 'blocksy_meta' field is exposed over the network, so the attacker must be able to reach the WordPress site via HTTP or HTTPS.

  • AuthenticationRequired

    A valid WordPress account with contributor-level privileges or higher is required; any low-privilege registered account is sufficient to submit malicious post meta.

  • Victim interactionNot required

    No victim action is needed; exploitation is fully attacker-driven once the malicious payload is stored and the V200 migration runs on an upgraded site.

  • Attack complexityDetail

    Attack complexity is low: the exploit is reliable and condition-free, requiring only that the site upgrade to trigger the migration that deserializes the injected object.

Blast Radius

  • Attacker executes arbitrary PHP code on the WordPress server by abusing the RaiiPattern::__destruct gadget chain invoked via call_user_func().
  • Full confidentiality impact: attacker reads any data accessible to the web server process, including database credentials, session tokens, and stored user records.
  • Full integrity impact: attacker writes or modifies files, database rows, and configuration on the host.
  • Full availability impact: attacker can crash or disable the WordPress application and any co-hosted services running under the same process context.

How HarborGuard Handles This

Available on HarborGuard: images containing Blocksy versions up to and including 2.1.41 are flagged as affected by CVE-2026-8365 across all connected registries and pipelines. Because no upstream fix has been published, HarborGuard monitors the Wordfence and NVD advisory feeds on every ingest cycle and will surface a patched-image rebuild automatically once a remediated version is released. For customers with auto-remediation enabled, that rebuild will be paired with a regression test run and a PR opened against affected workloads without requiring manual steps. In the interim, compensating controls to consider include restricting contributor-level REST API access via a WordPress application firewall rule that blocks serialized PHP strings in the 'blocksy_meta' field, isolating the WordPress container with a network policy that limits egress to only required services, and gating or delaying the V200 database migration on any upgraded instance until a patch is available. These suggestions are not enforced by HarborGuard directly; they are environmental controls that reduce the window of exposure while awaiting an upstream fix.

See how HarborGuard automates this
Affected packages
  • creativethemeshq / Blocksy
    ≤ 2.1.41
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References