{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/blocksy-companion-pro-plugin--2.1.47/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-58480"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Blocksy Companion Pro plugin \u003c 2.1.47","WordPress"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","file-upload","web"],"_cs_type":"advisory","_cs_vendors":["Blocksy","WordPress"],"content_html":"\u003cp\u003eA critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress, affecting all versions prior to 2.1.47. This flaw enables remote attackers to achieve arbitrary code execution on vulnerable WordPress installations. The vulnerability resides within the \u003ccode\u003esave_attachments\u003c/code\u003e function, exposed through the Advanced Reviews feature, where inadequate extension validation allows attackers to upload executable files. Specifically, a flawed \u003ccode\u003estrpos()\u003c/code\u003e substring check in the Custom Fonts extension's validation mechanism can be bypassed by using double-extension filenames (e.g., \u003ccode\u003eshell.woff2.php\u003c/code\u003e). This bypass tricks the web server into executing the uploaded file as PHP, giving attackers full control over the compromised website. This vulnerability presents a significant risk to affected organizations, allowing for website defacement, data theft, or further network compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin version prior to 2.1.47.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file, such as \u003ccode\u003eshell.woff2.php\u003c/code\u003e, containing PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003esave_attachments\u003c/code\u003e function, which is exposed via the Advanced Reviews feature, attempting to upload the malicious file. This likely targets the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe plugin's validation process, specifically the \u003ccode\u003estrpos()\u003c/code\u003e check in the Custom Fonts extension, mistakenly passes the filename \u003ccode\u003eshell.woff2.php\u003c/code\u003e because it contains the \u003ccode\u003e.woff2\u003c/code\u003e substring.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esave_attachments\u003c/code\u003e function proceeds with the upload, placing the file on the web server.\u003c/li\u003e\n\u003cli\u003eThe web server, recognizing the \u003ccode\u003e.php\u003c/code\u003e extension, attempts to execute the uploaded file as a PHP script when accessed, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution, typically establishing a web shell for persistent access and further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-58480 leads to full remote code execution on the compromised WordPress server. This allows attackers to deface websites, inject malicious content, exfiltrate sensitive data (e.g., customer information, intellectual property), establish persistent access via web shells, and potentially pivot to other systems within the network. For businesses relying on WordPress for e-commerce, content delivery, or lead generation, this can result in significant financial losses, reputational damage, and regulatory penalties. The high CVSS score of 9.8 reflects the critical nature of this unauthenticated RCE.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Blocksy Companion Pro plugin to version 2.1.47 or later to patch CVE-2026-58480.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-58480 Exploitation - Blocksy Companion Pro File Upload Bypass\u0026quot; to your SIEM to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable detailed webserver logging (e.g., Apache access logs, Nginx access logs) to capture full HTTP request details, including URI stems, query strings, and request methods, which are crucial for the detection rule.\u003c/li\u003e\n\u003cli\u003eRegularly review web server access logs for suspicious file uploads to \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e or other writable directories, especially for files with double extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:19:33Z","date_published":"2026-07-08T14:19:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/","summary":"An unauthenticated arbitrary file upload vulnerability (CVE-2026-58480) in Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47 allows attackers to bypass extension validation via double-extension files, leading to remote code execution by forcing the web server to execute uploaded PHP files.","title":"Critical RCE Vulnerability in Blocksy Companion Pro WordPress Plugin (CVE-2026-58480)","url":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Blocksy Companion Pro Plugin \u003c 2.1.47","version":"https://jsonfeed.org/version/1.1"}