Blocksy Companion Pro <= 2.1.46 - Unauthenticated Insecure Direct Object Reference

2026-06-26 00:00
Austin Ginder

Strategic Overview

Status
Patched in 2.1.47
Affected PluginBlocksy Companion Pro
Affected Version<= 2.1.46
CVSS5.3Medium
CVECVE-2026-57630
View all Blocksy Companion Pro vulnerabilities

Vulnerability Overview

The Blocksy Companion Pro plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.46 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform unauthorized actions.

Technical Analysis

REMEDIATION: Update to version 2.1.47, or a newer patched version --- IDENTIFIER: CWE-639 (Authorization Bypass Through User-Controlled Key) The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

Blocksy Companion Pro <= 2.1.46 - Unauthenticated Insecure Direct Object Reference (CVE-2026-57630)