CVE-2026-12430
medium
📛 Threat Title
Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter
Description
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Affected software — plugin: Blocksy Companion (affected: *-2.1.45). CVSS 4.4 (Medium) — CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N.
Remediations (3)
-
Wordfence remediation: Blocksy CompanionWordfence
Update to version 2.1.46, or a newer patched version
-
Wordfence remediation: Blocksy CompanionWordfence
Update to version 2.1.46, or a newer patched version
-
Wordfence remediation: Blocksy CompanionWordfence
Update to version 2.1.46, or a newer patched version
Indicators of Compromise (1)
Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.
cve
CVE-2026-12430
IOC database
- Type
- cve
- Value
CVE-2026-12430- First seen
- Last seen
- Attached to this threat
- Appears in
- 1 threat
- Description
- Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Details From VirusTotal
No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.
References (3)
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.