The Blocksy Companion plugin for WordPress is at risk of being hacked through a type of attack called Stored Cross-Site Scripting. This can happen when someone uploads a certain type of file, called an SVG, to the plugin. This vulnerability affects versions 2.0.45 and earlier because the plugin does not properly check and secure the input and output of information. As a result, attackers who are logged in to the website with at least contributor-level permissions can add harmful code to pages that will run when someone visits that page.