Blocksy Companion Pro versions 2 and below are vulnerable to a Remote Code Execution (RCE) flaw that allows authenticated contributors to gain full system control.

The vulnerability is a Remote Code Execution (RCE) flaw specifically accessible to users with the "Contributor" role. By exploiting insufficient input validation or authorization checks within the plugin, an attacker can execute arbitrary commands on the underlying web server.

This vulnerability carries a CVSS score of 8.5, indicating a high risk of total server compromise. If exploited, an attacker could gain full administrative access to the WordPress environment, leading to data exfiltration, site defacement, or the deployment of persistent backdoors, which would cause significant reputational and operational damage.

Immediate Action: Update the Blocksy Companion Pro plugin to the latest available version immediately.

Proactive Monitoring: Review WordPress user access logs for suspicious activity originating from accounts with Contributor-level privileges.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block suspicious requests targeting plugin-specific administrative functions, and consider disabling the plugin until a patch is applied.

Public Exploit Available: false

This vulnerability is critical for any organization hosting WordPress sites using Blocksy Companion Pro. Organizations should immediately audit their WordPress user roles to ensure no unauthorized accounts have Contributor access and apply the update as soon as it is available to neutralize the RCE risk.