CVE-2026-58480
Deferred Deferred - Pending Action

Blocksy Companion Pro Plugin Unauthenticated File Upload RCE

Vulnerability report for CVE-2026-58480, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
blocksy companion_pro to 2.1.47 (exc)
creative_themes blocksy_companion_pro to 2.1.47 (exc)
creative_themes blocksy_companion to 2.1.47 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to upload and execute arbitrary files on affected WordPress sites, potentially leading to unauthorized access and remote code execution.

Such unauthorized access and potential data breaches could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and ensuring system integrity.

Failure to patch this vulnerability could result in violations of these standards due to compromised confidentiality, integrity, and availability of data.

Executive Summary

The Blocksy Companion Pro plugin for WordPress versions before 2.1.47 contains a critical unauthenticated arbitrary file upload vulnerability. This flaw exists in the save_attachments function of the Advanced Reviews feature. Attackers can bypass the plugin's extension validation by uploading files with double extensions, such as shell.woff2.php. The validation incorrectly checks for substrings, allowing the malicious file to pass through. Once uploaded, the web server executes the file as PHP, enabling remote code execution.

Impact Analysis

This vulnerability allows attackers to upload and execute malicious files on your WordPress site without authentication. As a result, attackers can gain remote code execution capabilities, potentially leading to full site compromise, unauthorized access, data theft, defacement, or use of the server for malicious activities. The vulnerability is highly severe, with CVSS scores up to 9.8, and has been exploited in mass campaigns targeting many websites.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious file uploads with double extensions such as shell.woff2.php in the directories where the Blocksy Companion Pro plugin stores attachments or uploads.

You can scan your web server's upload directories for files with double extensions that might indicate an attempt to bypass extension validation.

  • Use a command like: find /path/to/wordpress/wp-content/uploads/ -type f -regex ".*\.[a-z0-9]+\.[a-z0-9]+" to locate files with multiple extensions.
  • Check your web server logs for POST requests to the save_attachments function or the Advanced Reviews feature endpoints that include suspicious file names.
  • Use intrusion detection systems or web application firewalls (WAF) to alert on uploads containing double extensions or unusual file types.
Mitigation Strategies

The immediate and most effective mitigation step is to update the Blocksy Companion Pro plugin to version 2.1.47 or later, where the vulnerability has been patched.

Until the update can be applied, implement mitigation rules provided by Patchstack or your web application firewall to block uploads with double extensions or suspicious file types.

Monitor your system for any signs of exploitation, such as unexpected PHP files in upload directories or unusual web server activity.

  • Apply the Patchstack mitigation rule to block attacks targeting this vulnerability.
  • Restrict file upload permissions and validate file extensions more strictly on the server side.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart