External risk intelligence

Blocksy Companion Pro Unauthenticated Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-57624

The vulnerability affects a WordPress plugin, which is typically used to extend the functionality of public-facing web applications. Because these plugins are integrated into web servers that are designed to be accessible via the public internet to serve content and features to users, the vulnerable code is likely to be reachable from the internet in common deployment scenarios.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Blocksy Companion Pro plugin, potentially allowing unauthenticated remote code execution. This type of flaw can permit unauthorized individuals to run commands on affected systems, which could have broad implications for the security and integrity of systems using this technology. The main concern at this stage is to confirm if this plugin is in use and if it is exposed.

  • Unauthenticated attackers can execute commands remotely.
  • Critical flaw in widely used website technology.
  • Confirm usage and exposure of this plugin.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted network requests to a vulnerable system. This could lead to the attacker gaining the ability to execute arbitrary code on the affected server, potentially resulting in a complete compromise.

  • No authentication required.
  • Triggered via network requests.
  • Risk of remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on affected systems due to a flaw in the Blocksy Companion Pro plugin. This could potentially lead to a complete compromise of the system, impacting website operations and any data it processes.

  • System data and website integrity.
  • Remote code execution via network access.
  • Full system compromise possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated remote code execution vulnerability in Blocksy Companion Pro requires immediate attention. The first step is for the web application or platform team to identify all instances of this plugin, assess their exposure to the internet, and confirm business criticality. Once these instances are identified, the accountable owner should be determined to plan and execute remediation, prioritizing those with the greatest risk.

  • Application owners should address this.
  • Verify plugin presence and reachability.
  • Plan targeted remediation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Blocksy Companion Pro plugin?

Blocksy Companion Pro is a premium extension for the Blocksy WordPress theme. It provides additional design options, header features, and customization tools that website administrators use to enhance the functionality and layout of their sites built on the WordPress platform.

What does CWE-94 mean for CVE-2026-57624?

CWE-94 refers to Improper Control of Generation of Code. In the context of this CVE, it means the plugin fails to safely handle input, allowing an attacker to inject and execute their own code. Because this is an unauthenticated flaw, the system processes these malicious commands as if they were authorized instructions, bypassing normal access controls.

How is this vulnerability triggered?

An attacker triggers this bug by sending a specially crafted network request to the web server hosting the affected plugin. No user interaction or valid login credentials are required for the code to run. Simply visiting the website as a normal user will not trigger the vulnerability; it requires a targeted, malicious request specifically designed to exploit the flaw.

Is my system at risk?

According to Halo Surface Signal, this vulnerability is classified as likely to be reachable from the internet. Since WordPress plugins are designed to be accessible to public visitors to serve website content, any instance of this plugin running on a public-facing server is considered exposed and at higher risk.

What steps should I take if I use this plugin?

If you manage a site using Blocksy Companion Pro, your first priority is to create an inventory of all instances to confirm where the plugin is active. Once identified, evaluate the plugin's accessibility to the internet and coordinate with your technical team or the vendor to plan remediation. Focus on securing or updating these instances to prevent unauthorized system access.

References