CVE-2026-8365
8.8 HIGHThe Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API fi...
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Description
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8365
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.35/admin/helpers/meta-boxes.php#L104
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.35/admin/helpers/validator.php#L75
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.35/inc/classes/db-versioning/utils/db-search-replacer.php#L98
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.35/inc/classes/raii.php#L12
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.41/admin/helpers/meta-boxes.php#L104
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.41/admin/helpers/validator.php#L75
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.41/inc/classes/db-versioning/utils/db-search-replacer.php#L98
- [Other]https://themes.trac.wordpress.org/browser/blocksy/2.1.41/inc/classes/raii.php#L12
- [Other]https://themes.trac.wordpress.org/browser/blocksy/trunk/admin/helpers/meta-boxes.php#L104
- [Other]https://themes.trac.wordpress.org/browser/blocksy/trunk/admin/helpers/validator.php#L75
- [Other]https://themes.trac.wordpress.org/browser/blocksy/trunk/inc/classes/db-versioning/utils/db-search-replacer.php#L98
- [Other]https://themes.trac.wordpress.org/browser/blocksy/trunk/inc/classes/raii.php#L12
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/fd216743-ce8d-4632-9fd1-d63502c2dfcd?source=cve
Related CVEs
Same CWE
- CVE-2026-20251 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, ... (8.8 HIGH)
- CVE-2026-53435 — In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined i... (8.8 HIGH)
- CVE-2026-52751 — Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthe... (8.8 HIGH)
- CVE-2026-10721 — Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components
- CVE-2026-11815 — An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deseriali...