PT-2026-56414 · WordPress · Blocksy Companion Pro
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-58480
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47
Description
An unauthenticated arbitrary file upload issue exists within the Advanced Reviews feature. The
save attachments() function fails to properly validate file extensions, specifically due to a flawed strpos() substring check in the Custom Fonts extension. An attacker can bypass this validation by using double-extension filenames, such as shell.woff2.php, allowing the upload of executable files that the web server processes as PHP, leading to remote code execution.Recommendations
Update Blocksy Companion Pro plugin for WordPress to version 2.1.47 or later.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Blocksy Companion Pro