Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total6
Critical0
High1
Medium5
Reset
Showing 1-6 of 6 records
Threat Entry Updated 2025-11-12

CVE-2025-12846 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Blocksy Companion

CVE-2025-12846

HIGH CVSS 8.8 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-12475 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blocksy Companion

CVE-2025-12475

MEDIUM CVSS 6.4 2025-10-30
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-9565 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blocksy Companion

CVE-2025-9565

MEDIUM CVSS 6.4 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-28

CVE-2024-4487 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blocksy Companion

CVE-2024-4487

MEDIUM CVSS 6.4 2024-05-14
Open Full Technical Breakdown
Threat Entry Updated 2025-01-28

CVE-2024-2392 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blocksy Companion

CVE-2024-2392

MEDIUM CVSS 6.5 2024-03-22
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2023-1911 - Blocksy Companion Plugin

The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example

PLUGIN Blocksy Companion

CVE-2023-1911

MEDIUM CVSS 4.3 2023-05-02
Open Full Technical Breakdown
Scroll to top