Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.
Metrics
Affected Vendors & Products
References
History
Wed, 08 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Creativethemes
Creativethemes blocksy Companion Wordpress Wordpress wordpress |
|
| Vendors & Products |
Creativethemes
Creativethemes blocksy Companion Wordpress Wordpress wordpress |
Wed, 08 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution. | |
| Title | Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments | |
| Weaknesses | CWE-434 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-08T13:42:52.086Z
Reserved: 2026-06-30T20:20:33.791Z
Link: CVE-2026-58480
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T14:45:03Z