{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/blocksy-companion-pro/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-15158"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Blocksy Companion plugin (\u003c= 2.1.46)","blocksy-companion-pro","WooCommerce Extra (Advanced Reviews)","Custom Fonts"],"_cs_severities":["critical"],"_cs_tags":["web","vulnerability","arbitrary-file-upload","wordpress"],"_cs_type":"advisory","_cs_vendors":["Blocksy","WordPress"],"content_html":"\u003cp\u003eA critical arbitrary file upload vulnerability, identified as CVE-2026-15158, affects the Blocksy Companion plugin for WordPress, specifically its premium version (blocksy-companion-pro) in all versions up to and including 2.1.46. The flaw resides within the \u003ccode\u003esave_attachments\u003c/code\u003e function, which is part of the Custom Fonts extension. The vulnerability stems from an insecure file type validation mechanism: a \u003ccode\u003ewp_check_filetype_and_ext\u003c/code\u003e filter uses \u003ccode\u003estrpos()\u003c/code\u003e to approve filenames containing \u003ccode\u003e.woff2\u003c/code\u003e or \u003ccode\u003e.ttf\u003c/code\u003e as substrings, rather than strictly validating them as file extensions. This allows unauthenticated attackers to upload malicious files disguised with double extensions (e.g., \u003ccode\u003eshell.woff2.php\u003c/code\u003e), bypassing MIME type checks. Exploitation of this vulnerability grants attackers the ability to upload executable files, leading directly to remote code execution (RCE) on the affected WordPress site. This issue is only exploitable when both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions are active in the premium plugin. The free \u003ccode\u003eblocksy-companion\u003c/code\u003e plugin is not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance and Target Identification\u003c/strong\u003e: An unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin (versions \u0026lt;= 2.1.46) with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions enabled.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Payload Crafting\u003c/strong\u003e: The attacker crafts a PHP webshell or other executable script, naming it with a double extension such as \u003ccode\u003eevil.woff2.php\u003c/code\u003e or \u003ccode\u003ebackdoor.ttf.php\u003c/code\u003e, to masquerade it as a legitimate font file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Upload\u003c/strong\u003e: The attacker sends an unauthenticated HTTP POST request to the WordPress site's \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint, targeting the plugin's \u003ccode\u003esave_attachments\u003c/code\u003e function. The request includes the crafted malicious file within the \u003ccode\u003emultipart/form-data\u003c/code\u003e body.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMIME Type Validation Bypass\u003c/strong\u003e: The Blocksy Companion plugin's \u003ccode\u003ewp_check_filetype_and_ext\u003c/code\u003e filter, used by the Custom Fonts extension, processes the uploaded filename. Due to the use of \u003ccode\u003estrpos()\u003c/code\u003e for \u003ccode\u003e.woff2\u003c/code\u003e or \u003ccode\u003e.ttf\u003c/code\u003e substring checks instead of proper extension validation, the malicious \u003ccode\u003eevil.woff2.php\u003c/code\u003e file bypasses the intended MIME type restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious File Placement\u003c/strong\u003e: The vulnerable \u003ccode\u003esave_attachments\u003c/code\u003e function proceeds to save the malicious \u003ccode\u003eevil.woff2.php\u003c/code\u003e file to a publicly accessible directory on the WordPress server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: The attacker sends a subsequent HTTP GET request directly to the newly uploaded \u003ccode\u003eevil.woff2.php\u003c/code\u003e file. The web server executes the PHP script, allowing the attacker to run arbitrary commands on the server with the permissions of the web server process, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15158 allows unauthenticated attackers to achieve full remote code execution on affected WordPress installations. This can lead to complete compromise of the website and underlying server, including data theft, defacement, installation of backdoors, further network penetration, or integration into botnets. While no specific victim count is available, any WordPress site utilizing the premium Blocksy Companion Pro plugin with both WooCommerce Extra and Custom Fonts extensions active in versions up to 2.1.46 is at critical risk. The impact extends beyond the website itself, potentially affecting customer data, business operations, and organizational reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-15158\u003c/strong\u003e: Immediately update the Blocksy Companion Pro plugin to a patched version (2.1.47 or newer) as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Vulnerable Extensions\u003c/strong\u003e: If immediate patching is not possible, disable the \u0026quot;WooCommerce Extra (Advanced Reviews)\u0026quot; and \u0026quot;Custom Fonts\u0026quot; extensions within Blocksy Companion Pro to mitigate the vulnerability until an update can be applied.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Web Application Firewall (WAF) Rules\u003c/strong\u003e: Configure your WAF to inspect \u003ccode\u003emultipart/form-data\u003c/code\u003e uploads and block files with double extensions (e.g., \u003ccode\u003e*.woff2.php\u003c/code\u003e, \u003ccode\u003e*.ttf.php\u003c/code\u003e) when uploaded to WordPress plugin endpoints like \u003ccode\u003eadmin-ajax.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T10:21:05Z","date_published":"2026-07-09T10:21:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-blocksy-file-upload/","summary":"The Blocksy Companion plugin for WordPress, specifically the premium version (blocksy-companion-pro) with the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active, is vulnerable to Arbitrary File Upload (CVE-2026-15158). This flaw, present in versions up to and including 2.1.46, arises from improper file type validation within the `save_attachments` function, allowing double-extension files like `shell.woff2.php` to bypass MIME checks, which unauthenticated attackers can exploit to upload executable files, leading to remote code execution.","title":"CVE-2026-15158: Blocksy Companion Plugin Arbitrary File Upload Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-blocksy-file-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - Blocksy-Companion-Pro","version":"https://jsonfeed.org/version/1.1"}