## Overview
The Blocksy Companion Pro plugin for WordPress, versions prior to 2.1.47, contains a critical vulnerability identified as CVE-2026-58480. This flaw allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.
## Technical Details
The vulnerability resides in the `save_attachments` function, which is part of the Advanced Reviews feature. Attackers can exploit a flawed substring check in the Custom Fonts extension. By uploading files with double extensions, such as `shell.woff2.php`, attackers can bypass extension validation. The server executes these files as PHP, enabling remote code execution.
## Impact
With a CVSS score of 9.2, this vulnerability poses a significant risk. Successful exploitation allows attackers to execute arbitrary code on the server, potentially compromising the entire site. This can lead to data breaches, site defacement, or further exploitation of connected systems.
## Mitigation
Defenders should immediately update the Blocksy Companion Pro plugin to version 2.1.47 or later. Regularly review and monitor file uploads, and implement security measures such as web application firewalls to detect and block malicious file uploads. Additionally, ensure that all other plugins and themes are up to date to minimize exposure to similar vulnerabilities.
CSURFACE Threat Sensor