CVE-2026-57624: Critical Unauthenticated RCE in Blocksy Companion Pro
TL;DR - CVE-2026-57624 is a CVSS 10.0 unauthenticated RCE in Blocksy Companion Pro for WordPress. - Affects versions up to and including 2.1.46; upgrade to 2.1.47 or later immediately. - No confirmed in-the-wild exploitation or public PoC is known yet, but exposure should be treated as urgent.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-57624 |
| CVSS score | 10.0 (Critical) |
| Attack vector | Network |
| Auth required | None |
| Patch status | Fixed in 2.1.47 |
Vulnerability at a glance
CVE-2026-57624 is a critical unauthenticated remote code execution vulnerability in Creative Themes Blocksy Companion Pro for WordPress. The current public record from NVD describes it succinctly as “Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.” NVD also maps the flaw to CWE-94, Improper Control of Generation of Code, which is a serious weakness class because it indicates attacker input may reach a code execution path.
The affected version range is clearly stated: Blocksy Companion Pro versions up to and including 2.1.46 are affected, and 2.1.47 is the first version identified as unaffected. That version boundary matters operationally because defenders can use it to rapidly scope exposure across managed WordPress estates, hosting fleets, backup snapshots, and plugin inventory systems without waiting for additional vendor narrative.
What this means for defenders
The practical impact of this vulnerability is straightforward: if a site is running a vulnerable version of Blocksy Companion Pro and the vulnerable code path is reachable, an attacker may be able to execute code remotely without authentication. In WordPress environments, unauthenticated RCE often translates into full site takeover, web shell deployment, malicious admin creation, credential theft, content tampering, spam injection, redirect rules, or pivoting into adjacent systems if the host is poorly segmented.
The lack of public technical detail should not reduce urgency. In fact, when a WordPress plugin vulnerability is rated CVSS 10.0, exposed over the network, requires no privileges, and no user interaction, defenders should assume that reverse engineering the patch or private advisory is likely. Even if there is no public proof of concept today, time-to-weaponization can be short for popular plugins, especially in shared hosting and internet-exposed CMS environments.
Technical limitations and what is still unknown
Publicly available details are currently limited. The NVD record confirms the vulnerability type, severity, affected range, fixed version, and CWE classification, but it does not provide a detailed root-cause narrative, affected endpoint, exploit prerequisites beyond “unauthenticated,” or reliable IOCs tied to a confirmed exploit path. A Patchstack advisory URL exists in the CVE references, but the technical specifics available during this research session were limited.
When details are sparse, defenders should default to conservative assumptions. Assume a remotely reachable plugin code path may be exploitable on internet-facing sites running 2.1.46 or earlier. Assume that generic WordPress compromise hunting is warranted. And assume that exploit availability may change quickly after disclosure, even if there is no confirmed PoC at publication time.
Affected versions and fixed version
The currently verified affected and fixed versions are below.
| Product | Affected versions | Fixed version |
|---|---|---|
| Creative Themes Blocksy Companion Pro for WordPress | Up to and including 2.1.46 | 2.1.47 |
If you operate WordPress sites at scale, do not rely on plugin names alone. Confirm the installed plugin slug and actual deployed version from the WordPress admin interface, WP-CLI, filesystem, or hosting inventory. In environments with image-based deployments or custom packaging, ensure the vulnerable plugin was not bundled into a golden image or deployment artifact even if the live admin panel appears patched.
It is also important to distinguish between plugin presence and active exploitation risk. A vulnerable version present on disk may still matter if the plugin is active or if its code can be reached through WordPress bootstrap paths. If you cannot confirm exposure quickly, assume any internet-facing site with Blocksy Companion Pro <= 2.1.46 is at risk until patched or isolated.
Severity and CVSS breakdown
NVD assigns CVSS v3.1 10.0 (Critical) with vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
This is the highest practical severity profile for a web-exposed application flaw. AV:N means it is reachable over the network. AC:L means exploitation is not considered high complexity. PR:N and UI:N are especially significant for defenders because the attacker does not need an account and does not need to trick a user or administrator into doing anything. C:H/I:H/A:H indicates the expected impact spans confidentiality, integrity, and availability.
The Scope: Changed (S:C) portion of the vector suggests compromise may cross trust boundaries in a meaningful way. In practical terms for WordPress operators, that can mean a vulnerable plugin allows actions that affect the broader site or server context, not just the plugin’s own data. For incident response, this means responders should not limit review to the plugin directory. Check WordPress core files, themes, uploads directories, cron jobs, database users, .htaccess, and server-level persistence artifacts.
Exploitation status, PoC status, and KEV status
At the time of this writing, no confirmed in-the-wild exploitation has been established from the available sources reviewed for this CVE. The CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, which means there is no CISA confirmation of active exploitation as of this publication date.
Also at the time of this writing, no verified public proof of concept (PoC) is known from the retrieved sources. That does not mean exploitation is impossible or unlikely. It only means there is no confirmed public exploit reference in the source material used here. In the absence of public exploit data, defenders should assume two things: first, attackers may still reverse engineer the patch quickly; second, broad scanning against WordPress sites is common once a critical plugin issue becomes public.
Bottom line
CVE-2026-57624 is a critical unauthenticated RCE in Creative Themes Blocksy Companion Pro for WordPress. The verified exposure window is versions up to and including 2.1.46, and the known fixed version is 2.1.47. There is no confirmed in-the-wild exploitation and no verified public PoC from the available sources used here, but that should not delay remediation.
If you run this plugin, treat this as an immediate patch-and-review event. Upgrade to 2.1.47 or later, check logs and file integrity for signs of compromise, and document which sites were exposed before remediation.
For more information on related vulnerabilities, check out our articles on CVE-2026-8760 and compare the best vulnerability scanners for small businesses in 2026.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
How to identify exposure in your environment
Start with asset inventory. Enumerate all WordPress instances, then identify where Blocksy Companion Pro is installed and whether the version is 2.1.46 or earlier. In centrally managed environments, WP-CLI is usually the fastest route. In shared hosting or outsourced site management, ask the provider for plugin version evidence rather than a verbal assurance that “everything is updated.”
A second step is retrospective scoping. Because the vulnerability is unauthenticated RCE, you should review recent activity on any affected site even if you patch immediately. Focus on sudden file changes, unexpected PHP files in writable locations, newly created administrator accounts, plugin or theme modifications, suspicious POST requests to WordPress endpoints, and outbound traffic from web servers that normally have no reason to initiate remote connections.
Technical Notes
Use WP-CLI to enumerate the plugin and version:
wp plugin list --format=table | grep -i blocksy
wp plugin get blocksy-companion-pro --fields=name,status,version
If WP-CLI is unavailable, check the plugin metadata directly on disk:
grep -E "Version:" wp-content/plugins/blocksy-companion-pro/blocksy-companion-pro.php
Example filesystem hunting for recently modified PHP files:
find /var/www/html -type f -name "*.php" -mtime -7 | sort
find wp-content/uploads -type f \( -name "*.php" -o -name "*.phtml" \) -print
Concrete log review patterns to start with, given the exact vulnerable endpoint is not yet publicly documented, should focus on suspicious unauthenticated requests to WordPress and plugin paths:
# Apache/Nginx access logs: requests into wp-admin/admin-ajax.php, REST API, or plugin paths
egrep 'POST .*wp-admin/admin-ajax\.php|POST .*wp-json/|/wp-content/plugins/blocksy-companion-pro/' /var/log/nginx/access.log /var/log/apache2/access.log
# Suspicious PHP execution attempts or direct access to writable areas
egrep '(/wp-content/uploads/.*\.php|/wp-content/cache/.*\.php|cmd=|exec=|base64_)' /var/log/nginx/access.log /var/log/apache2/access.log
Example Splunk query for suspicious WordPress web requests:
index=web (uri_path="/wp-admin/admin-ajax.php" OR uri_path="/wp-json/*" OR uri_path="*/wp-content/plugins/blocksy-companion-pro/*")
| stats count min(_time) as firstSeen max(_time) as lastSeen by src_ip http_method uri_path status user_agent
| sort - count
Because the vulnerable parameter or endpoint is not publicly confirmed in the available record, defenders should cast a wider net. Watch for POST-heavy traffic spikes, unusual user agents, 200 responses to plugin-path requests, and any subsequent file write or process execution events on the host.
Mitigation and patching guidance
The primary mitigation is to upgrade Blocksy Companion Pro to version 2.1.47 or later. That is the only clearly documented fixed boundary in the current public data. If you manage multiple sites, prioritize internet-facing instances and any site with weak monitoring, broad file write permissions, or colocated workloads on the same host.
If immediate patching is not possible, use compensating controls while treating them as temporary risk reduction, not a substitute for the fix. Consider temporarily disabling the plugin if the business impact is acceptable. Restrict administrative access paths with IP allowlists or VPN requirements where feasible. Increase monitoring on the web tier and file system, and verify backups are intact and restorable before making emergency changes.
Technical Notes
WP-CLI upgrade command:
wp plugin update blocksy-companion-pro --version=2.1.47
If your environment allows only general latest-version upgrades:
wp plugin update blocksy-companion-pro
Temporary disablement if you cannot patch immediately:
wp plugin deactivate blocksy-companion-pro
For managed package or deployment pipelines, ensure the plugin artifact is replaced in code repositories or build images, not just in production. Example manual verification after upgrade:
wp plugin get blocksy-companion-pro --fields=name,status,version
# Expected version: 2.1.47 or later
If WordPress admin access is your only option, verify the plugin version after updating and document which sites were remediated. In the absence of a retrievable vendor changelog during this research session, defenders should rely on the NVD version boundary: 2.1.46 and earlier affected, 2.1.47 fixed.
Post-patch incident response checks
Patching closes the known vulnerable version window, but it does not answer whether a site was already compromised. For any site that was exposed with Blocksy Companion Pro <= 2.1.46, perform at least a basic compromise assessment. Review newly created admin users, changed passwords, plugin/theme file diffs, scheduled tasks, and suspicious outbound connections from the host. On shared hosting, ask the provider for process execution logs or malware scan results if you do not control the OS.
Also review persistence mechanisms common in WordPress intrusions: dropped PHP files in uploads, modified functions.php, injected code in wp-config.php, .htaccess redirects, unauthorized MU-plugins, and database entries that add admin accounts or malicious options. If you find evidence of compromise, rotate WordPress admin credentials, database credentials, hosting panel credentials, and any API keys stored on the server.
References
| Source | URL |
|---|---|
| NVD CVE record | https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-57624 |
| Patchstack advisory reference | https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-46-remote-code-execution-rce-vulnerability?_s_id=cve |
| CISA KEV catalog | https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
| Creative Themes Blocksy changelog | https://creativethemes.com/blocksy/changelog |