External risk intelligence

Blocksy Companion Pro Contributor RCE Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-40783

A critical contributor remote code execution vulnerability exists in the Blocksy Companion Pro plugin, allowing for arbitrary code execution on the server. This affects websites built with the plugin, which are commonly exposed to the internet, potentially impacting data integrity and availability. Readers should care

Code Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

This vulnerability affects a WordPress plugin, which is typically used to build and manage public-facing websites. As a component of a web application platform designed for internet content delivery, the code is commonly exposed to the public internet in standard deployment scenarios.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in the Blocksy Companion Pro plugin, potentially allowing unauthorized remote code execution. This issue affects the technology used to build and manage websites, as the plugin's code is commonly exposed to the internet. Understanding the relevance and exposure of this plugin is the primary concern.

  • Plugin allows attackers to run unauthorized code.
  • Impacts public-facing websites and their content.
  • Confirm if the plugin is used and assess risk.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by leveraging their low-privileged access to a website utilizing the affected plugin. This access allows them to interact with a specific feature within the plugin, ultimately leading to the execution of arbitrary code on the server. The attacker's journey begins with this initial low-privileged access, progresses to triggering the vulnerable component, and culminates in a critical remote code execution, which can be particularly dangerous if the server hosts sensitive information or provides critical services.

  • Requires authenticated low-privileged access.
  • Triggered through a vulnerable plugin feature.
  • Leads to remote code execution on the server.

Live Threat

Current exploitation, exposure, and threat context

A critical contributor remote code execution vulnerability in Blocksy Companion Pro could allow an unauthenticated attacker to execute arbitrary code on the server when a specially crafted request is sent. This could impact the integrity and availability of the website and its data.

  • Server code execution.
  • Unauthenticated network requests.
  • Website compromise and data loss.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Blocksy Companion Pro affects how contributors can execute code remotely, posing a critical risk. The first step is for the website owner or administrator to confirm the presence and reachability of this plugin on their WordPress sites, identify the accountable parties for website management, and then prioritize remediation based on the potential impact and exposure.

  • Website owners/administrators should own the issue.
  • Verify plugin presence and exposure on public sites.
  • Plan coordinated updates during maintenance windows.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-40783 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Blocksy Companion Pro versions prior to 2.1.37 allows for remote code execution. Exploiting this flaw could enable attackers to gain unauthorized control of systems.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Blocksy Companion Pro?

Blocksy Companion Pro is a plugin for WordPress designed to extend the functionality of the Blocksy theme. It provides tools for building, customizing, and managing the layout and features of a website. Because it integrates directly into the WordPress ecosystem, it is a core component for users who rely on the platform to deliver public-facing web content.

What does CVE-2026-40783 mean?

This vulnerability is classified as CWE-94, or Improper Control of Generation of Code. In plain terms, it means the plugin fails to properly restrict what kind of input it processes, allowing an attacker to inject and execute their own unauthorized code on the server where the website is hosted.

How is this vulnerability triggered?

An attacker triggers this flaw by interacting with a specific, vulnerable feature within the plugin. While this requires a level of access to the site, it does not require administrative privileges; a low-privileged account is sufficient to initiate the chain of events that leads to unauthorized remote code execution.

Is my website at risk?

Halo Surface Signal indicates this vulnerability is highly relevant because Blocksy Companion Pro is typically used on public-facing websites. If your site is accessible over the internet, the plugin's code is likely exposed, making it a potential entry point for attackers to compromise your server and data.

How do I respond to this threat?

Start by identifying if your WordPress site uses this plugin and who is responsible for managing its updates. Verify the plugin version and monitor official vendor channels for security patches. Prioritize this as a critical task to protect your site's integrity, ensuring you are prepared to apply updates as soon as they become available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished