Blocksy Companion Vulnerability – Authenticated (Admin+) Server-Side Request Forgery – CVE-2024-35633 | WordPress Plugin Vulnerability Report

Plugin Name: Blocksy Companion

Key Information:

  • Software Type: Plugin
  • Software Slug: blocksy-companion
  • Software Status: Active
  • Software Author: creativethemeshq
  • Software Downloads: 7,853,860
  • Active Installs: 200,000
  • Last Updated: June 11, 2024
  • Patched Versions: 2.0.43
  • Affected Versions: <= 2.0.42

Vulnerability Details:

  • Name: Blocksy Companion <= 2.0.42
  • Type: Authenticated (Admin+) Server-Side Request Forgery
  • CVE: CVE-2024-35633
  • CVSS Score: 5.5
  • Publicly Published: May 30, 2024
  • Researcher: Yuchen Ji
  • Description: The Blocksy Companion plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.42. This allows authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application, enabling them to query and modify information from internal services.

Summary:

The Blocksy Companion for WordPress has a vulnerability in versions up to and including 2.0.42 that allows authenticated attackers with Administrator-level access and above to perform Server-Side Request Forgery (SSRF). This vulnerability has been patched in version 2.0.43.

Detailed Overview:

The vulnerability in Blocksy Companion versions up to 2.0.42 enables authenticated users with Administrator-level access or above to manipulate web requests originating from the WordPress application. This manipulation can lead to unauthorized access to internal services, posing significant security risks to affected websites. Discovered by Yuchen Ji and publicly disclosed on May 30, 2024, this vulnerability requires immediate attention. Users should update to version 2.0.43 or later to mitigate the risk.

Advice for Users:

  • Immediate Action: Update the Blocksy Companion plugin to version 2.0.43 or later immediately to patch the vulnerability.
  • Check for Signs of Vulnerability: Administrators should monitor their systems for any unusual activities or unauthorized access, which might indicate exploitation of the vulnerability.
  • Alternate Plugins: While a patch is available, users might consider deactivating the Blocksy Companion plugin temporarily or switching to alternative plugins that offer similar functionalities.
  • Stay Updated: Regularly check for updates of all installed plugins and themes to ensure the security of your WordPress installation.

Conclusion:

The swift response from the plugin developers to address this vulnerability emphasizes the importance of keeping WordPress plugins updated. Users are strongly advised to ensure that they are running version 2.0.43 or later to secure their WordPress installations against potential exploits.

References:

Detailed Report: 

In today's digital landscape, the security of your website is paramount. With cyber threats evolving at an alarming rate, staying vigilant and proactive in safeguarding your online presence is crucial. Unfortunately, recent events have once again underscored the importance of regularly updating your website's software to mitigate potential security risks.

Plugin Details:

Blocksy Companion, developed by creativethemeshq, is a widely used WordPress plugin designed to enhance website functionality. With over 7.8 million downloads and 200,000 active installations, it has become a staple for many WordPress users seeking to optimize their websites' performance.

Vulnerability Details:

Recently, Blocksy Companion was found to have a significant security vulnerability, dubbed Authenticated Server-Side Request Forgery (SSRF), assigned CVE-2024-35633. This flaw, affecting versions up to and including 2.0.42, enables authenticated attackers with Administrator-level access or higher to manipulate web requests originating from the WordPress application. This manipulation could lead to unauthorized access to internal services, posing significant risks to affected websites.

Risks and Potential Impacts:

The implications of this vulnerability are grave. Attackers exploiting this flaw could gain access to sensitive information, compromise website integrity, and potentially damage your business's reputation. With the proliferation of cyber threats, small business owners cannot afford to overlook the importance of securing their online assets.

Remediation Steps:

To mitigate this risk, it's imperative to take immediate action. Update the Blocksy Companion plugin to version 2.0.43 or later to patch the vulnerability. Additionally, administrators should monitor their systems for any unusual activities or signs of compromise, as well as consider deactivating the plugin temporarily or switching to alternative plugins until the patch is applied.

Overview of Previous Vulnerabilities:

This isn't the first time Blocksy Companion has faced security vulnerabilities. Since March 4, 2022, there have been six previous vulnerabilities identified, highlighting the ongoing need for website owners to stay vigilant and proactive in securing their online presence.

Conclusion:

The Blocksy Companion vulnerability serves as a stark reminder of the ever-present threat landscape facing website owners. For small business owners with WordPress websites, the task of staying on top of security vulnerabilities may seem daunting. However, the consequences of neglecting website security far outweigh the time and effort required to address these issues. By prioritizing security, staying informed about emerging threats, and regularly updating plugins and themes, you can protect your business and ensure the long-term integrity of your online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Blocksy Companion Vulnerability – Authenticated (Admin+) Server-Side Request Forgery – CVE-2024-35633 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment