Skip to content
Threat Feed
critical advisory

Critical RCE Vulnerability in Blocksy Companion Pro WordPress Plugin (CVE-2026-58480)

An unauthenticated arbitrary file upload vulnerability (CVE-2026-58480) in Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47 allows attackers to bypass extension validation via double-extension files, leading to remote code execution by forcing the web server to execute uploaded PHP files.

A critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress, affecting all versions prior to 2.1.47. This flaw enables remote attackers to achieve arbitrary code execution on vulnerable WordPress installations. The vulnerability resides within the save_attachments function, exposed through the Advanced Reviews feature, where inadequate extension validation allows attackers to upload executable files. Specifically, a flawed strpos() substring check in the Custom Fonts extension's validation mechanism can be bypassed by using double-extension filenames (e.g., shell.woff2.php). This bypass tricks the web server into executing the uploaded file as PHP, giving attackers full control over the compromised website. This vulnerability presents a significant risk to affected organizations, allowing for website defacement, data theft, or further network compromise.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin version prior to 2.1.47.
  2. The attacker crafts a malicious file, such as shell.woff2.php, containing PHP code.
  3. The attacker sends an HTTP POST request to the save_attachments function, which is exposed via the Advanced Reviews feature, attempting to upload the malicious file. This likely targets the admin-ajax.php endpoint.
  4. The plugin's validation process, specifically the strpos() check in the Custom Fonts extension, mistakenly passes the filename shell.woff2.php because it contains the .woff2 substring.
  5. The save_attachments function proceeds with the upload, placing the file on the web server.
  6. The web server, recognizing the .php extension, attempts to execute the uploaded file as a PHP script when accessed, leading to remote code execution.
  7. The attacker gains arbitrary code execution, typically establishing a web shell for persistent access and further compromise.

Impact

The successful exploitation of CVE-2026-58480 leads to full remote code execution on the compromised WordPress server. This allows attackers to deface websites, inject malicious content, exfiltrate sensitive data (e.g., customer information, intellectual property), establish persistent access via web shells, and potentially pivot to other systems within the network. For businesses relying on WordPress for e-commerce, content delivery, or lead generation, this can result in significant financial losses, reputational damage, and regulatory penalties. The high CVSS score of 9.8 reflects the critical nature of this unauthenticated RCE.

Recommendation

  • Immediately update the Blocksy Companion Pro plugin to version 2.1.47 or later to patch CVE-2026-58480.
  • Deploy the Sigma rule "Detects CVE-2026-58480 Exploitation - Blocksy Companion Pro File Upload Bypass" to your SIEM to detect attempts to exploit this vulnerability.
  • Enable detailed webserver logging (e.g., Apache access logs, Nginx access logs) to capture full HTTP request details, including URI stems, query strings, and request methods, which are crucial for the detection rule.
  • Regularly review web server access logs for suspicious file uploads to /wp-content/uploads/ or other writable directories, especially for files with double extensions.

Detection coverage 1

Detects CVE-2026-58480 Exploitation - Blocksy Companion Pro File Upload Bypass

high

Detects CVE-2026-58480 exploitation attempts by monitoring suspicious file upload requests to WordPress admin-ajax.php with double extensions that bypass validation, indicative of arbitrary file upload leading to RCE in Blocksy Companion Pro plugin.

sigma tactics: execution, initial_access, persistence techniques: T1059.006, T1190, T1505.004 sources: webserver

Detection queries are available on the platform. Get full rules →