Executive Summary

The WordPress Blocksy Companion Pro Plugin, specifically versions 2.1.37 and earlier, contains a Remote Code Execution (RCE) vulnerability. This flaw allows an attacker with contributor, developer, or creative privileges to execute arbitrary commands on the affected site.

This means the attacker can potentially gain backdoor access and full control over the website. The vulnerability is classified under the OWASP Top 10 category A3: Injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary commands remotely on your website.

• Attackers can gain backdoor access to your site.
• Full control over the affected website can be obtained by the attacker.
• It poses a high risk due to its high CVSS score of 9.9, indicating critical severity.
• The vulnerability is likely to be exploited in mass campaigns targeting many websites.

Useful 0 Not Useful 0

Mitigation Strategies

Users are strongly advised to update the WordPress Blocksy Companion Pro Plugin to version 2.1.38 or later immediately to patch the Remote Code Execution vulnerability.

Until the update is applied, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote code execution, enabling attackers to gain backdoor access and full control over affected sites. Such unauthorized access and control can lead to data breaches, potentially exposing sensitive personal or health information.

This exposure could result in non-compliance with regulations like GDPR and HIPAA, which mandate strict protections for personal and health data. Organizations using vulnerable versions of the Blocksy Companion Pro plugin risk violating these standards if the flaw is exploited.

Therefore, timely patching to version 2.1.38 or later is critical to maintain compliance and protect sensitive data from compromise.

Useful 0 Not Useful 0