What the vulnerability does
01Description
Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
What the vulnerability does
Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
Explanation of Vulnerability in Simple Terms
Blocksy Companion Pro versions up to 2.1.46 contain a code injection vulnerability that allows unauthenticated attackers to run arbitrary PHP code on affected sites. The vulnerability requires no user interaction and can be exploited over the network. An attacker can gain complete control of the site, including reading sensitive data, modifying content, and disrupting service.
What an attacker can do
Run arbitrary PHP code on the site without authentication, gaining full control.
Potential impact on your site
Complete site compromise: attackers can steal data, modify content, install malware, or take the site offline.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities