<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Blocksy-Companion-Pro - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/blocksy-companion-pro/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 10:21:05 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/blocksy-companion-pro/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-15158: Blocksy Companion Plugin Arbitrary File Upload Leading to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-blocksy-file-upload/</link><pubDate>Thu, 09 Jul 2026 10:21:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-blocksy-file-upload/</guid><description>The Blocksy Companion plugin for WordPress, specifically the premium version (blocksy-companion-pro) with the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active, is vulnerable to Arbitrary File Upload (CVE-2026-15158). This flaw, present in versions up to and including 2.1.46, arises from improper file type validation within the `save_attachments` function, allowing double-extension files like `shell.woff2.php` to bypass MIME checks, which unauthenticated attackers can exploit to upload executable files, leading to remote code execution.</description><content:encoded><![CDATA[<p>A critical arbitrary file upload vulnerability, identified as CVE-2026-15158, affects the Blocksy Companion plugin for WordPress, specifically its premium version (blocksy-companion-pro) in all versions up to and including 2.1.46. The flaw resides within the <code>save_attachments</code> function, which is part of the Custom Fonts extension. The vulnerability stems from an insecure file type validation mechanism: a <code>wp_check_filetype_and_ext</code> filter uses <code>strpos()</code> to approve filenames containing <code>.woff2</code> or <code>.ttf</code> as substrings, rather than strictly validating them as file extensions. This allows unauthenticated attackers to upload malicious files disguised with double extensions (e.g., <code>shell.woff2.php</code>), bypassing MIME type checks. Exploitation of this vulnerability grants attackers the ability to upload executable files, leading directly to remote code execution (RCE) on the affected WordPress site. This issue is only exploitable when both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions are active in the premium plugin. The free <code>blocksy-companion</code> plugin is not affected.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance and Target Identification</strong>: An unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin (versions &lt;= 2.1.46) with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions enabled.</li>
<li><strong>Malicious Payload Crafting</strong>: The attacker crafts a PHP webshell or other executable script, naming it with a double extension such as <code>evil.woff2.php</code> or <code>backdoor.ttf.php</code>, to masquerade it as a legitimate font file.</li>
<li><strong>Arbitrary File Upload</strong>: The attacker sends an unauthenticated HTTP POST request to the WordPress site's <code>admin-ajax.php</code> endpoint, targeting the plugin's <code>save_attachments</code> function. The request includes the crafted malicious file within the <code>multipart/form-data</code> body.</li>
<li><strong>MIME Type Validation Bypass</strong>: The Blocksy Companion plugin's <code>wp_check_filetype_and_ext</code> filter, used by the Custom Fonts extension, processes the uploaded filename. Due to the use of <code>strpos()</code> for <code>.woff2</code> or <code>.ttf</code> substring checks instead of proper extension validation, the malicious <code>evil.woff2.php</code> file bypasses the intended MIME type restrictions.</li>
<li><strong>Malicious File Placement</strong>: The vulnerable <code>save_attachments</code> function proceeds to save the malicious <code>evil.woff2.php</code> file to a publicly accessible directory on the WordPress server.</li>
<li><strong>Remote Code Execution</strong>: The attacker sends a subsequent HTTP GET request directly to the newly uploaded <code>evil.woff2.php</code> file. The web server executes the PHP script, allowing the attacker to run arbitrary commands on the server with the permissions of the web server process, achieving remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15158 allows unauthenticated attackers to achieve full remote code execution on affected WordPress installations. This can lead to complete compromise of the website and underlying server, including data theft, defacement, installation of backdoors, further network penetration, or integration into botnets. While no specific victim count is available, any WordPress site utilizing the premium Blocksy Companion Pro plugin with both WooCommerce Extra and Custom Fonts extensions active in versions up to 2.1.46 is at critical risk. The impact extends beyond the website itself, potentially affecting customer data, business operations, and organizational reputation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-15158</strong>: Immediately update the Blocksy Companion Pro plugin to a patched version (2.1.47 or newer) as soon as it becomes available.</li>
<li><strong>Disable Vulnerable Extensions</strong>: If immediate patching is not possible, disable the &quot;WooCommerce Extra (Advanced Reviews)&quot; and &quot;Custom Fonts&quot; extensions within Blocksy Companion Pro to mitigate the vulnerability until an update can be applied.</li>
<li><strong>Implement Web Application Firewall (WAF) Rules</strong>: Configure your WAF to inspect <code>multipart/form-data</code> uploads and block files with double extensions (e.g., <code>*.woff2.php</code>, <code>*.ttf.php</code>) when uploaded to WordPress plugin endpoints like <code>admin-ajax.php</code>.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web</category><category>vulnerability</category><category>arbitrary-file-upload</category><category>wordpress</category></item></channel></rss>