Stored Cross-Site Scripting Vulnerability in Blocksy Companion Plugin for WordPress
CVE-2026-12430

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Blocksy Companion
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-12430?

The Blocksy Companion plugin for WordPress has a vulnerability that allows stored cross-site scripting (XSS) due to inadequate input sanitization and output escaping in admin settings. This flaw affects all versions up to and including 2.1.45 and is particularly concerning for multi-site installations where the 'unfiltered_html' option is disabled. Authenticated attackers with editor-level permissions or higher can exploit this vulnerability by injecting malicious web scripts into pages, which will execute when a user accesses those compromised pages.

Affected Version(s)

Blocksy Companion 0 <= 2.1.45

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/blocksy-compan...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

Pasindu Dilshan

CVE-2026-12430 Data

JSON