Product
The Blocksy Companion plugin for WordPress, specifically the premium version (blocksy-companion-pro) with the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active, is vulnerable to Arbitrary File Upload (CVE-2026-15158). This flaw, present in versions up to and including 2.1.46, arises from improper file type validation within the `save_attachments` function, allowing double-extension files like `shell.woff2.php` to bypass MIME checks, which unauthenticated attackers can exploit to upload executable files, leading to remote code execution.