Blocksy Companion Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2392 |WordPress Plugin Vulnerability Report

Plugin Name: Blocksy Companion

Key Information:

  • Software Type: Plugin
  • Software Slug: blocksy-companion
  • Software Status: Active
  • Software Author: creativethemeshq
  • Software Downloads: 6,618,702
  • Active Installs: 200,000
  • Last Updated: March 12, 2024
  • Patched Versions: 2.0.32
  • Affected Versions: <= 2.0.31

Vulnerability Details:

  • Name: Blocksy Companion <= 2.0.31
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • CVE: CVE-2024-2392
  • CVSS Score: 6.5
  • Publicly Published: March 21, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The Blocksy Companion plugin for WordPress has a vulnerability in versions up to and including 2.0.31 that allows for stored cross-site scripting via the plugin's Newsletter widget due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 2.0.32.

Detailed Overview:

The vulnerability, discovered by researcher Ngô Thiên An (ancorn_) from VNPT-VCI, involves the Newsletter widget of the Blocksy Companion plugin. Due to the lack of proper input sanitization and output escaping, authenticated users with contributor-level access or higher can embed malicious scripts into pages. These scripts can then be executed in the browser of any user accessing the affected pages, potentially leading to unauthorized actions being performed on behalf of the users. The timely identification and disclosure of this vulnerability were critical in mitigating potential risks to WordPress sites using the plugin.

Advice for Users:

  • Immediate Action: Users of the Blocksy Companion plugin are strongly encouraged to update to the patched version 2.0.32 immediately.
  • Check for Signs of Vulnerability: Administrators should review their sites for unexpected or suspicious content, especially within the pages where the Newsletter widget is used.
  • Alternate Plugins: While the vulnerability has been patched, users may consider exploring alternative plugins offering similar functionality as a precautionary measure.
  • Stay Updated: Always keep your plugins updated to the latest versions to safeguard against vulnerabilities.


The swift response from the Blocksy Companion plugin developers in releasing a patch highlights the critical nature of maintaining updated software. By updating to version 2.0.32 or later, users can ensure their WordPress installations remain secure against this particular vulnerability.


Detailed Report: 

In the fast-paced world of digital business, ensuring the security of your WordPress website is paramount. Yet, the reality is that many small business owners, grappling with countless responsibilities, find it challenging to stay abreast of the latest security updates. The recent discovery of a significant vulnerability in the widely used Blocksy Companion plugin serves as a crucial reminder of the risks lurking in outdated software.

Blocksy Companion: A Popular Choice with a Hidden Flaw

Blocksy Companion, celebrated for its versatility and ease of use, boasts over 200,000 active installs. Developed by creativethemeshq, it has been a go-to plugin for many WordPress users, evidenced by its 6,618,702 downloads. Despite its popularity and regular updates, the plugin fell prey to a security flaw affecting versions up to and including 2.0.31.

The Vulnerability Exposed

Identified as CVE-2024-2392, this vulnerability, an Authenticated (Contributor+) Stored Cross-Site Scripting issue, was publicized on March 21, 2024. Stemming from inadequate input sanitization within the plugin's Newsletter widget, it allowed attackers with contributor-level permissions or higher to inject malicious scripts. These scripts could execute unauthorized actions on behalf of unsuspecting users, presenting a clear and present danger to website integrity and user data security.

Understanding the Risks

The implications of such vulnerabilities are far-reaching. From data theft and unauthorized site access to the potential for a complete site takeover, the risks underscore the critical need for vigilance in plugin management.

Taking Action: Remediation Steps

The good news is that the vulnerability has been addressed in version 2.0.32 of Blocksy Companion. Users are urged to update immediately to this patched version. Additionally, reviewing site content for unexpected changes, especially in areas utilizing the Newsletter widget, and considering alternative plugins can provide extra layers of security.

A Look Back: Not the First Alert

This is not the first time vulnerabilities have been discovered in Blocksy Companion, with three prior issues reported since March 4, 2022. Each incident reinforces the importance of regular security audits and updates.

The Bottom Line for Small Business Owners

For small business owners juggling myriad tasks, the thought of constant vigilance over website security can seem daunting. However, the reality of today's digital landscape demands attention to such details. Ignoring plugin updates or security warnings can lead to severe repercussions, potentially jeopardizing not just your website but your entire business.

In conclusion, while it may seem like an additional task in an already packed schedule, staying informed and proactive about security vulnerabilities is non-negotiable. Leveraging managed WordPress hosting services, automatic updates, and professional security assistance can alleviate some of the burdens. Remember, in the digital domain, your website's security is as crucial as the locks on your physical storefront. Prioritize it accordingly to safeguard your online presence and ensure business continuity.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Blocksy Companion Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2392 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment