Blocksy < 2.0.98 – Missing Authorization | CVE 2025-47465 | Theme Vulnerabilities

Description

The Blocksy theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_ajax_blocksy_notice_button_click AJAX endpoint in versions up to, and including, 2.0.97. This makes it possible for authenticated attackers, with administrator-level access and above, to install plugins. This would only impact sites where administrators have been stripped of their capability to install and activate plugins, which might occur on multi-sites.

Affects Themes

Fixed in 2.0.98

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3c1a773f-6908-48fc-99d9-a718ee120855

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

SavPhill (Savphill)

Verified

No

WPVDB ID

59bfc7f8-6350-4224-af2e-d61171a932a8

Timeline

Publicly Published

2025-05-07 (about 10 months ago)

Added

2025-05-14 (about 10 months ago)

Last Updated

2025-05-14 (about 10 months ago)

Other

Published

Title

Published

2025-04-04

Title

WP ULike < 4.7.10 - Missing Authorization to Unauthenticated Content Spoofing

Published

2024-05-21

Title

ApplyOnline – Application Form Builder and Manager < 2.6.3 - Missing Authorization to Sensitive Information Exposure

Published

2025-12-02

Title

Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin < 2.3.9 - Missing Authorization to Unauthenticated Backup Failure

Published

2026-02-09

Title

WCFM Marketplace < 3.7.1 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation

Published

2024-06-20

Title

ConvertKit < 2.4.9.1 - Missing Authorization