Unauthenticated File Upload Vulnerability in Blocksy Companion Pro Plugin for WordPress
CVE-2026-58480
9.2CRITICAL
What is CVE-2026-58480?
The Blocksy Companion Pro plugin for WordPress prior to version 2.1.47 is susceptible to an unauthenticated arbitrary file upload vulnerability. This flaw allows attackers to exploit the Advanced Reviews feature and circumvent extension validation in the save_attachments function. By utilizing flawed substring checks, attackers can upload executable files with double extensions (e.g., shell.woff2.php), tricking the system into accepting them. Once uploaded, these files can be executed on the web server, leading to potential remote code execution, compromising the integrity and security of affected WordPress installations.
Affected Version(s)
Blocksy Companion 0 <= 2.1.46
Blocksy Companion 0 <= 2.1.46
Blocksy Companion 2.1.47