Arbitrary File Upload Vulnerability in Blocksy Companion Plugin for WordPress
CVE-2026-15158

9.8CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
9 July 2026

What is CVE-2026-15158?

The Blocksy Companion plugin for WordPress is susceptible to an Arbitrary File Upload vulnerability in versions up to 2.1.46. This issue arises from the Custom Fonts extension, which improperly validates file types through a lenient check, allowing filenames containing .woff2 or .ttf as substrings to bypass necessary safety measures. This flaw permits attackers to upload arbitrary files, including potentially executable scripts, which can lead to remote code execution. This vulnerability is specifically exploitable when the premium version of the Blocksy Companion plugin is used in conjunction with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions.

Affected Version(s)

Blocksy Companion 0 <= 2.1.46

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ba Khanh
.