Themes Vulnerabilities

Blocksy < 2.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields

Description

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Themes

blocksy
Fixed in 2.1.31

References

CVE
CVE-2026-2583
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Quốc Huy (jtwings)
Verified
No
WPVDB ID
3075190e-692f-4dfa-a0fa-7957cb9a0282

Timeline

Publicly Published
2026-03-02 (about 21 days ago)
Added
2026-03-02 (about 21 days ago)
Last Updated
2026-03-02 (about 21 days ago)

Other

Published
Title
Published
2025-01-16
Title
XTRA Settings <= 2.1.8 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Altima Lookbook Free for WooCommerce <= 1.1.0 - Refletced Cross-Site Scripting
Published
2025-10-30
Title
Jannah - Extensions < 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-12-29
Title
WP Affiliate Disclosure < 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via $id
Published
2024-05-07
Title
3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin < 3.72 - Authenticated (Author+) Stored Cross-Site Scripting