PT-2026-56414 · WordPress · Blocksy Companion Pro

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-58480

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47
Description An unauthenticated arbitrary file upload issue exists within the Advanced Reviews feature. The save attachments() function fails to properly validate file extensions, specifically due to a flawed strpos() substring check in the Custom Fonts extension. An attacker can bypass this validation by using double-extension filenames, such as shell.woff2.php, allowing the upload of executable files that the web server processes as PHP, leading to remote code execution.
Recommendations Update Blocksy Companion Pro plugin for WordPress to version 2.1.47 or later.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58480

Affected Products

Blocksy Companion Pro