{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2583", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-16T13:01:11.855Z", "datePublished": "2026-03-02T22:23:39.951Z", "dateUpdated": "2026-04-08T17:24:26.380Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:26.380Z"}, "affected": [{"vendor": "creativethemeshq", "product": "Blocksy", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.30", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c?source=cve"}, {"url": "https://themes.trac.wordpress.org/changeset/315531/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "timeline": [{"time": "2026-02-13T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-16T13:17:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-02T09:26:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T14:38:41.902900Z", "id": "CVE-2026-2583", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:38:49.321Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2583", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T14:38:41.902900Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:38:45.440Z"}}], "cna": {"title": "Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields", "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "creativethemeshq", "product": "Blocksy", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.30"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-16T13:17:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-02T09:26:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c?source=cve"}, {"url": "https://themes.trac.wordpress.org/changeset/315531/"}], "descriptions": [{"lang": "en", "value": "The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:26.380Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2583", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:26.380Z", "dateReserved": "2026-02-16T13:01:11.855Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-02T22:23:39.951Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema Blocksy para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los campos de metadatos 'blocksy_meta' en todas las versiones hasta la 2.1.30, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2583", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-02T23:16:31.160", "references": [{"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset/315531/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce7ee2c7-0c7b-4ce3-89d2-5503dff6e59c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.30]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "Blocksy", "source": "cna", "vendor": "creativethemeshq"}, "product": "blocksy", "vendor": "creativethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:06:54.413203+00:00", "value": {"mitigation_remediation": ["Upgrade the Blocksy theme to the latest available version, which removes the vulnerability.", "If an immediate upgrade is not possible, revoke or limit Contributor\u2011level access to features that allow editing of blocksy_meta fields, reducing the window for injection.", "Implement or enforce input sanitization and output escaping for the blocksy_meta fields to prevent future stored XSS attacks."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via blocksy_meta fields"}, "threat_synthesis": {"affected_systems": "All installations of the Blocksy theme from its initial release up to and including version 2.1.30 are vulnerable. The theme is distributed by CreativeThemes under the Blocksy identifier on WordPress.", "description_and_impact": "The Blocksy WordPress theme is vulnerable to stored cross\u2011site scripting because the blocksy_meta metadata fields lack proper input sanitization and output escaping in all releases up to 2.1.30. Authenticated users with Contributor role or higher can inject arbitrary JavaScript into these fields, causing the code to run whenever any visitor opens an affected page. Based on the description, it is inferred that such injected scripts could be used to steal session cookies, deface the site, or launch additional attacks against site users, although these specific consequences are not explicitly stated in the CVE text.", "risk_and_exploitability": "The vulnerability scores 6.4 on CVSS, indicating moderate severity. The EPSS score is less than 1%, implying a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The attack requires authenticated access; an attacker must be a Contributor or have higher privileges to insert malicious content into the blocksy_meta fields. The likely attack vector is an authenticated content injection via the theme\u2019s metadata editor."}}}}, "created": "2026-03-03T08:40:53.608233+00:00", "updated": "2026-04-15T20:15:13.712601+00:00", "vendors": ["creativethemes", "creativethemes$PRODUCT$blocksy", "wordpress", "wordpress$PRODUCT$wordpress"]}