CVE-2026-8365
HighCVSS 8.8Exploitation Probability (EPSS)
Elevated risk71th percentile - higher than 71% of all known CVEs
Summary
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function.
Risk Assessment
Authenticated attackers with contributor-level access and above can inject serialized PHP objects into post meta, potentially executing arbitrary PHP code on the upgraded site. This poses a significant security risk to the application and user data.
Recommendation
It is recommended to update the Blocksy theme to the latest version to mitigate this vulnerability. Additionally, implementing further security measures, such as restricting data deserialization during migrations, is advisable.
Original NVD description (English source)
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().

