Arbitrary File Upload Vulnerability in Blocksy Companion Plugin for WordPress
CVE-2026-15158
9.8CRITICAL
What is CVE-2026-15158?
The Blocksy Companion plugin for WordPress is susceptible to an Arbitrary File Upload vulnerability in versions up to 2.1.46. This issue arises from the Custom Fonts extension, which improperly validates file types through a lenient check, allowing filenames containing .woff2 or .ttf as substrings to bypass necessary safety measures. This flaw permits attackers to upload arbitrary files, including potentially executable scripts, which can lead to remote code execution. This vulnerability is specifically exploitable when the premium version of the Blocksy Companion plugin is used in conjunction with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions.
Affected Version(s)
Blocksy Companion 0 <= 2.1.46