ZeroPath at Black Hat USA 2026

Blocksy WordPress Theme CVE-2026-8365: Brief Summary of PHP Object Injection to Remote Code Execution

A brief summary of CVE-2026-8365, a PHP Object Injection vulnerability in the Blocksy WordPress theme that chains insufficient input sanitization with unsafe deserialization during database migration to achieve Remote Code Execution with contributor level access.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-09

Blocksy WordPress Theme CVE-2026-8365: Brief Summary of PHP Object Injection to Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A two stage PHP Object Injection chain in the Blocksy WordPress theme allows authenticated users with contributor level access to plant serialized PHP objects that execute arbitrary code when a database migration runs, affecting over 300,000 active installations. The vulnerability, tracked as CVE-2026-8365 with a CVSS 3.1 score of 8.8, combines an inadequate input filter with an unrestricted @unserialize() call to deliver full Remote Code Execution through a built in POP gadget.

Blocksy is a popular free WordPress theme developed by Creative Themes, marketed as a fast, modern theme optimized for the Gutenberg editor and WooCommerce. With over 300,000 active installations on the WordPress.org theme directory and a premium "Blocksy Pro" tier, it occupies a significant position in the WordPress theme ecosystem. Given that WordPress powers approximately 42.6% of all websites, the potential reach of a vulnerability in a theme this widely deployed is considerable.

Technical Information

Vulnerability Classification

CVE-2026-8365 falls under CWE-502 (Deserialization of Untrusted Data). The NVD record, published June 9, 2026, assigns a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows: network attack vector, low attack complexity, low privileges required (contributor role), no user interaction needed, unchanged scope, and high impact across confidentiality, integrity, and availability. The source CNA is [email protected].

The Two Stage Attack Chain

This vulnerability is not a single code flaw but a chain of two independent weaknesses that, when combined, produce a full RCE primitive.

Stage 1: Serialized Object Injection via the REST API

The Blocksy theme registers a blocksy_meta REST API field that allows post metadata to be set through the WordPress REST API. Input validation for this field is handled by the blocksy_sanitize_post_meta_options() function, referenced at admin/helpers/validator.php line 75 and admin/helpers/meta-boxes.php line 104.

The sanitization logic only blocks values containing the characters < or >. This check is designed to prevent HTML and XSS injection, but it is wholly insufficient against PHP Object Injection. Serialized PHP objects use the format O:length:"className":count:{...}, which contains no angle brackets and passes the filter without issue.

An authenticated attacker with contributor level access (or above) can send a REST API request containing a crafted blocksy_meta field with a serialized Blocksy\RaiiPattern PHP object. The sanitization function accepts the value and stores it in the WordPress wp_postmeta table. At this point, the payload is dormant.

Stage 2: Deserialization Trigger via V200 Migration

The stored serialized object is activated when the V200 database migration runs. The SearchReplacer::run_recursively() function, located at inc/classes/db-versioning/utils/db-search-replacer.php line 98, iterates over database values during migration and unconditionally applies @unserialize() to all string values it encounters.

The critical flaw here is the absence of PHP's allowed_classes parameter in the unserialize() call. Without this restriction, any serialized object is fully reconstructed, including the attacker controlled Blocksy\RaiiPattern instance.

Stage 3: POP Gadget Execution via RaiiPattern::__destruct()

The Blocksy\RaiiPattern class, defined at inc/classes/raii.php line 12, implements the RAII (Resource Acquisition Is Initialization) pattern. Its __destruct() magic method executes a cleanup callable via call_user_func() when the object is destroyed.

Because the attacker controls both the callable and its arguments (embedded in the serialized object properties), call_user_func() executes arbitrary PHP callables. This is a textbook Property Oriented Programming (POP) gadget chain: a legitimate class method intended for resource cleanup is repurposed as an arbitrary code execution primitive.

Attack Prerequisites

FactorDetail
AuthenticationContributor level WordPress account or above
Attack vectorNetwork (REST API)
User interactionNone required
Trigger conditionV200 database migration must run
Attack complexityLow
ImpactFull RCE (C:H/I:H/A:H)

The V200 migration dependency introduces a timing constraint. The attacker must inject the payload first, and the migration must subsequently be triggered (typically when the site upgrades to a version that includes the V200 migration step). This creates a delayed detonation scenario: the malicious payload can sit in the database for an extended period before executing, complicating detection and attribution.

Root Cause Analysis

Two distinct coding decisions enabled this chain:

  1. Incomplete input validation: The blocksy_sanitize_post_meta_options() function was designed with HTML injection in mind, filtering only for < and > characters. It did not account for serialized PHP object strings, which represent a fundamentally different attack class. This is a common pattern in WordPress theme and plugin development where sanitization is oriented around web output contexts rather than data storage safety.

  2. Unrestricted deserialization: The SearchReplacer::run_recursively() function uses @unserialize() without specifying allowed_classes. PHP has supported the allowed_classes option since version 7.0, specifically to mitigate this class of vulnerability. The @ error suppression operator further masks any deserialization errors, making the behavior silent.

Either weakness alone would be insufficient for exploitation. Without the sanitization bypass, the serialized object could not be stored. Without the unrestricted deserialization, the stored string would remain inert. The chain requires both.

Affected Systems and Versions

The vulnerability affects the Blocksy theme for WordPress in all versions up to and including 2.1.41. This includes both the free version available on the WordPress.org theme directory and the premium Blocksy Pro variant.

The Wordfence advisory confirms version 2.1.42, released May 14, 2026, as the first patched version. The changelog for this release describes the fix as "Improve validation of post meta for unexpected values."

Sites are vulnerable if they meet all of the following conditions:

  • Running Blocksy theme version 2.1.41 or earlier
  • Have at least one user account with contributor level access or above
  • Will trigger or have triggered the V200 database migration

The Trac references in the advisory point to source code in versions 2.1.35 and 2.1.41, confirming the vulnerability spans at least this range. Given the description states "versions up to and including 2.1.35" in the NVD entry (with the Wordfence advisory extending this to 2.1.41), all versions in this range should be considered affected.

Vendor Security History

Creative Themes has a documented pattern of security vulnerabilities across the Blocksy theme and its companion plugin:

CVE / IdentifierTypeAffected ComponentAffected VersionsFixed Version
CVE-2026-8365PHP Object Injection to RCEBlocksy ThemeUp to 2.1.412.1.42
CVE-2026-2583Stored XSSBlocksy ThemeUp to 2.1.62.1.7
CVE-2024-11420Stored XSSBlocksy Theme (Contact Info Block)Up to 2.0.51Not specified
WPScan 40781981Reflected XSSBlocksy Theme (custom_url parameter)Before 2.0.512.0.51
Patchstack IDAuthenticated Arbitrary File Upload (SVG)Blocksy CompanionUp to 2.1.19After 2.1.19

The recurring theme across these disclosures is input validation failures: two XSS vulnerabilities, an SVG upload bypass, and now a critical PHP Object Injection flaw. This pattern suggests that security review processes at Creative Themes have historically not caught sanitization gaps before release.

The vendor does not appear to maintain a dedicated security disclosure page or bug bounty program. The understated changelog entry for version 2.1.42 ("Improve validation of post meta for unexpected values") does not explicitly identify the change as a security fix, which may cause site administrators to treat it as a routine update rather than a critical security patch.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization