PHP Object Injection in Blocksy Theme for WordPress
CVE-2026-8365
8.8HIGH
What is CVE-2026-8365?
The Blocksy theme for WordPress is affected by a PHP Object Injection vulnerability that allows remote code execution through the 'blocksy_meta' REST API field. This vulnerability arises from inadequate input sanitization in the blocksy_sanitize_post_meta_options() function. It fails to prevent serialized PHP object strings from being saved in post metadata, allowing authenticated attackers with contributor-level access or higher to insert malicious serialized objects. During the V200 database migration, these objects can be deserialized without restrictions, leading to the execution of arbitrary PHP commands through the unexpected execution of methods during object destruction.
Affected Version(s)
Blocksy 0 <= 2.1.41