CVE-2026-8365
Received Received - Intake
PHP Object Injection in Blocksy WordPress Theme

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-8365
EUVD
EUVD-2026-35379
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
blocksy theme to 2.1.35 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Blocksy theme for WordPress has a vulnerability called PHP Object Injection that can lead to Remote Code Execution. This happens through the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35.

The root cause is insufficient input sanitization in the function blocksy_sanitize_post_meta_options(), which only blocks values containing '<' or '>' but does not prevent serialized PHP object strings from being stored in post meta.

During the V200 migration, the SearchReplacer::run_recursively() function deserializes all string values without restricting allowed classes. This allows an authenticated attacker with contributor-level access or higher to inject a serialized Blocksy\RaiiPattern object into post meta.

When the migration runs, the injected object is deserialized and triggers the RaiiPattern::__destruct() method, which executes arbitrary PHP callables via call_user_func(), enabling remote code execution.

Impact Analysis

This vulnerability can allow an attacker with contributor-level access or higher to execute arbitrary PHP code on your WordPress site remotely.

Such remote code execution can lead to full site compromise, including data theft, site defacement, installation of malware, or further attacks on the hosting environment.

Because the vulnerability requires only contributor-level privileges, it significantly lowers the barrier for attackers to exploit the site.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8365. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart