Unauthenticated File Upload Vulnerability in Blocksy Companion Pro Plugin for WordPress
CVE-2026-58480

9.2CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
8 July 2026

What is CVE-2026-58480?

The Blocksy Companion Pro plugin for WordPress prior to version 2.1.47 is susceptible to an unauthenticated arbitrary file upload vulnerability. This flaw allows attackers to exploit the Advanced Reviews feature and circumvent extension validation in the save_attachments function. By utilizing flawed substring checks, attackers can upload executable files with double extensions (e.g., shell.woff2.php), tricking the system into accepting them. Once uploaded, these files can be executed on the web server, leading to potential remote code execution, compromising the integrity and security of affected WordPress installations.

Affected Version(s)

Blocksy Companion 0 <= 2.1.46

Blocksy Companion 0 <= 2.1.46

Blocksy Companion 2.1.47

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ba Khanh
.