Introduction
A two stage PHP Object Injection chain in the Blocksy WordPress theme allows authenticated users with contributor level access to plant serialized PHP objects that execute arbitrary code when a database migration runs, affecting over 300,000 active installations. The vulnerability, tracked as CVE-2026-8365 with a CVSS 3.1 score of 8.8, combines an inadequate input filter with an unrestricted @unserialize() call to deliver full Remote Code Execution through a built in POP gadget.
Blocksy is a popular free WordPress theme developed by Creative Themes, marketed as a fast, modern theme optimized for the Gutenberg editor and WooCommerce. With over 300,000 active installations on the WordPress.org theme directory and a premium "Blocksy Pro" tier, it occupies a significant position in the WordPress theme ecosystem. Given that WordPress powers approximately 42.6% of all websites, the potential reach of a vulnerability in a theme this widely deployed is considerable.
Technical Information
Vulnerability Classification
CVE-2026-8365 falls under CWE-502 (Deserialization of Untrusted Data). The NVD record, published June 9, 2026, assigns a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows: network attack vector, low attack complexity, low privileges required (contributor role), no user interaction needed, unchanged scope, and high impact across confidentiality, integrity, and availability. The source CNA is [email protected].
The Two Stage Attack Chain
This vulnerability is not a single code flaw but a chain of two independent weaknesses that, when combined, produce a full RCE primitive.
Stage 1: Serialized Object Injection via the REST API
The Blocksy theme registers a blocksy_meta REST API field that allows post metadata to be set through the WordPress REST API. Input validation for this field is handled by the blocksy_sanitize_post_meta_options() function, referenced at admin/helpers/validator.php line 75 and admin/helpers/meta-boxes.php line 104.
The sanitization logic only blocks values containing the characters < or >. This check is designed to prevent HTML and XSS injection, but it is wholly insufficient against PHP Object Injection. Serialized PHP objects use the format O:length:"className":count:{...}, which contains no angle brackets and passes the filter without issue.
An authenticated attacker with contributor level access (or above) can send a REST API request containing a crafted blocksy_meta field with a serialized Blocksy\RaiiPattern PHP object. The sanitization function accepts the value and stores it in the WordPress wp_postmeta table. At this point, the payload is dormant.
Stage 2: Deserialization Trigger via V200 Migration
The stored serialized object is activated when the V200 database migration runs. The SearchReplacer::run_recursively() function, located at inc/classes/db-versioning/utils/db-search-replacer.php line 98, iterates over database values during migration and unconditionally applies @unserialize() to all string values it encounters.
The critical flaw here is the absence of PHP's allowed_classes parameter in the unserialize() call. Without this restriction, any serialized object is fully reconstructed, including the attacker controlled Blocksy\RaiiPattern instance.
Stage 3: POP Gadget Execution via RaiiPattern::__destruct()
The Blocksy\RaiiPattern class, defined at inc/classes/raii.php line 12, implements the RAII (Resource Acquisition Is Initialization) pattern. Its __destruct() magic method executes a cleanup callable via call_user_func() when the object is destroyed.
Because the attacker controls both the callable and its arguments (embedded in the serialized object properties), call_user_func() executes arbitrary PHP callables. This is a textbook Property Oriented Programming (POP) gadget chain: a legitimate class method intended for resource cleanup is repurposed as an arbitrary code execution primitive.
Attack Prerequisites
| Factor | Detail |
|---|---|
| Authentication | Contributor level WordPress account or above |
| Attack vector | Network (REST API) |
| User interaction | None required |
| Trigger condition | V200 database migration must run |
| Attack complexity | Low |
| Impact | Full RCE (C:H/I:H/A:H) |
The V200 migration dependency introduces a timing constraint. The attacker must inject the payload first, and the migration must subsequently be triggered (typically when the site upgrades to a version that includes the V200 migration step). This creates a delayed detonation scenario: the malicious payload can sit in the database for an extended period before executing, complicating detection and attribution.
Root Cause Analysis
Two distinct coding decisions enabled this chain:
-
Incomplete input validation: The
blocksy_sanitize_post_meta_options()function was designed with HTML injection in mind, filtering only for<and>characters. It did not account for serialized PHP object strings, which represent a fundamentally different attack class. This is a common pattern in WordPress theme and plugin development where sanitization is oriented around web output contexts rather than data storage safety. -
Unrestricted deserialization: The
SearchReplacer::run_recursively()function uses@unserialize()without specifyingallowed_classes. PHP has supported theallowed_classesoption since version 7.0, specifically to mitigate this class of vulnerability. The@error suppression operator further masks any deserialization errors, making the behavior silent.
Either weakness alone would be insufficient for exploitation. Without the sanitization bypass, the serialized object could not be stored. Without the unrestricted deserialization, the stored string would remain inert. The chain requires both.
Affected Systems and Versions
The vulnerability affects the Blocksy theme for WordPress in all versions up to and including 2.1.41. This includes both the free version available on the WordPress.org theme directory and the premium Blocksy Pro variant.
The Wordfence advisory confirms version 2.1.42, released May 14, 2026, as the first patched version. The changelog for this release describes the fix as "Improve validation of post meta for unexpected values."
Sites are vulnerable if they meet all of the following conditions:
- Running Blocksy theme version 2.1.41 or earlier
- Have at least one user account with contributor level access or above
- Will trigger or have triggered the V200 database migration
The Trac references in the advisory point to source code in versions 2.1.35 and 2.1.41, confirming the vulnerability spans at least this range. Given the description states "versions up to and including 2.1.35" in the NVD entry (with the Wordfence advisory extending this to 2.1.41), all versions in this range should be considered affected.
Vendor Security History
Creative Themes has a documented pattern of security vulnerabilities across the Blocksy theme and its companion plugin:
| CVE / Identifier | Type | Affected Component | Affected Versions | Fixed Version |
|---|---|---|---|---|
| CVE-2026-8365 | PHP Object Injection to RCE | Blocksy Theme | Up to 2.1.41 | 2.1.42 |
| CVE-2026-2583 | Stored XSS | Blocksy Theme | Up to 2.1.6 | 2.1.7 |
| CVE-2024-11420 | Stored XSS | Blocksy Theme (Contact Info Block) | Up to 2.0.51 | Not specified |
| WPScan 40781981 | Reflected XSS | Blocksy Theme (custom_url parameter) | Before 2.0.51 | 2.0.51 |
| Patchstack ID | Authenticated Arbitrary File Upload (SVG) | Blocksy Companion | Up to 2.1.19 | After 2.1.19 |
The recurring theme across these disclosures is input validation failures: two XSS vulnerabilities, an SVG upload bypass, and now a critical PHP Object Injection flaw. This pattern suggests that security review processes at Creative Themes have historically not caught sanitization gaps before release.
The vendor does not appear to maintain a dedicated security disclosure page or bug bounty program. The understated changelog entry for version 2.1.42 ("Improve validation of post meta for unexpected values") does not explicitly identify the change as a security fix, which may cause site administrators to treat it as a routine update rather than a critical security patch.
References
- NVD: CVE-2026-8365
- CVE.org: CVE-2026-8365 Record
- Wordfence Advisory: Blocksy <= 2.1.41 PHP Object Injection
- Wordfence Advisory (alternate link)
- Blocksy Theme Source: meta-boxes.php (v2.1.35)
- Blocksy Theme Source: validator.php (v2.1.35)
- Blocksy Theme Source: db-search-replacer.php (v2.1.35)
- Blocksy Theme Source: raii.php (v2.1.35)
- Blocksy Theme Source: meta-boxes.php (v2.1.41)
- Blocksy Theme Source: validator.php (v2.1.41)
- Blocksy Theme Source: db-search-replacer.php (v2.1.41)
- Blocksy Theme Source: raii.php (v2.1.41)
- Blocksy Changelog
- WordPress.org: Blocksy Theme
- CWE-502: Deserialization of Untrusted Data
- OWASP: PHP Object Injection
- OWASP: Deserialization of Untrusted Data
- WPScan: Blocksy Theme Vulnerabilities
- Patchstack: Blocksy Companion Vulnerabilities
- Patchstack: Blocksy Theme XSS (CVE-2026-2583)
- NVD: CVE-2024-11420
- SentinelOne: CVE-2026-2583



