PHP Object Injection in Blocksy Theme for WordPress
CVE-2026-8365

8.8HIGH

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-8365?

The Blocksy theme for WordPress is affected by a PHP Object Injection vulnerability that allows remote code execution through the 'blocksy_meta' REST API field. This vulnerability arises from inadequate input sanitization in the blocksy_sanitize_post_meta_options() function. It fails to prevent serialized PHP object strings from being saved in post metadata, allowing authenticated attackers with contributor-level access or higher to insert malicious serialized objects. During the V200 database migration, these objects can be deserialized without restrictions, leading to the execution of arbitrary PHP commands through the unexpected execution of methods during object destruction.

Affected Version(s)

Blocksy 0 <= 2.1.41

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Quốc Huy
.