{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wordpress/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-58480"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Blocksy Companion Pro plugin \u003c 2.1.47","WordPress"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","file-upload","web"],"_cs_type":"advisory","_cs_vendors":["Blocksy","WordPress"],"content_html":"\u003cp\u003eA critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress, affecting all versions prior to 2.1.47. This flaw enables remote attackers to achieve arbitrary code execution on vulnerable WordPress installations. The vulnerability resides within the \u003ccode\u003esave_attachments\u003c/code\u003e function, exposed through the Advanced Reviews feature, where inadequate extension validation allows attackers to upload executable files. Specifically, a flawed \u003ccode\u003estrpos()\u003c/code\u003e substring check in the Custom Fonts extension's validation mechanism can be bypassed by using double-extension filenames (e.g., \u003ccode\u003eshell.woff2.php\u003c/code\u003e). This bypass tricks the web server into executing the uploaded file as PHP, giving attackers full control over the compromised website. This vulnerability presents a significant risk to affected organizations, allowing for website defacement, data theft, or further network compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin version prior to 2.1.47.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file, such as \u003ccode\u003eshell.woff2.php\u003c/code\u003e, containing PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003esave_attachments\u003c/code\u003e function, which is exposed via the Advanced Reviews feature, attempting to upload the malicious file. This likely targets the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe plugin's validation process, specifically the \u003ccode\u003estrpos()\u003c/code\u003e check in the Custom Fonts extension, mistakenly passes the filename \u003ccode\u003eshell.woff2.php\u003c/code\u003e because it contains the \u003ccode\u003e.woff2\u003c/code\u003e substring.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esave_attachments\u003c/code\u003e function proceeds with the upload, placing the file on the web server.\u003c/li\u003e\n\u003cli\u003eThe web server, recognizing the \u003ccode\u003e.php\u003c/code\u003e extension, attempts to execute the uploaded file as a PHP script when accessed, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution, typically establishing a web shell for persistent access and further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-58480 leads to full remote code execution on the compromised WordPress server. This allows attackers to deface websites, inject malicious content, exfiltrate sensitive data (e.g., customer information, intellectual property), establish persistent access via web shells, and potentially pivot to other systems within the network. For businesses relying on WordPress for e-commerce, content delivery, or lead generation, this can result in significant financial losses, reputational damage, and regulatory penalties. The high CVSS score of 9.8 reflects the critical nature of this unauthenticated RCE.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Blocksy Companion Pro plugin to version 2.1.47 or later to patch CVE-2026-58480.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-58480 Exploitation - Blocksy Companion Pro File Upload Bypass\u0026quot; to your SIEM to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable detailed webserver logging (e.g., Apache access logs, Nginx access logs) to capture full HTTP request details, including URI stems, query strings, and request methods, which are crucial for the detection rule.\u003c/li\u003e\n\u003cli\u003eRegularly review web server access logs for suspicious file uploads to \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e or other writable directories, especially for files with double extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:19:33Z","date_published":"2026-07-08T14:19:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/","summary":"An unauthenticated arbitrary file upload vulnerability (CVE-2026-58480) in Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47 allows attackers to bypass extension validation via double-extension files, leading to remote code execution by forcing the web server to execute uploaded PHP files.","title":"Critical RCE Vulnerability in Blocksy Companion Pro WordPress Plugin (CVE-2026-58480)","url":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6820"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["VikBooking Hotel Booking Engine \u0026 PMS (\u003c= 1.8.8)","WordPress"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","xss","web-vulnerability"],"_cs_type":"advisory","_cs_vendors":["e4j","WordPress Foundation"],"content_html":"\u003cp\u003eA critical vulnerability, identified as CVE-2026-6820, has been discovered in the VikBooking Hotel Booking Engine \u0026amp; PMS plugin for WordPress, affecting all versions up to and including 1.8.8. This Stored Cross-Site Scripting (XSS) flaw stems from insufficient input sanitization and output escaping of the 'email' parameter. Unauthenticated attackers can exploit this by injecting malicious web scripts into the plugin's data. These scripts are then persistently stored and subsequently executed in the browsers of legitimate users or administrators who access an affected page. The vulnerability, publicly disclosed on July 8, 2026, poses a significant risk to websites using the plugin, potentially leading to session hijacking, defacement, or further client-side exploitation without requiring any prior authentication from the attacker.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts an HTTP POST request targeting a WordPress endpoint handled by the VikBooking plugin (e.g., a booking form submission or a profile update function accessible to unauthenticated users).\u003c/li\u003e\n\u003cli\u003eThe attacker embeds a malicious JavaScript payload within the 'email' parameter of this POST request, for instance, \u003ccode\u003e\u0026lt;script\u0026gt;alert('XSS');\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to inadequate input validation, the VikBooking plugin processes and stores this unsanitized 'email' parameter, including the embedded script, into the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe malicious script becomes persistently stored on the server as part of the plugin's data, associated with a booking or user entry.\u003c/li\u003e\n\u003cli\u003eA legitimate user or administrator subsequently navigates to a WordPress page (e.g., a booking details page, an admin panel view) that retrieves and displays the compromised 'email' parameter from the database.\u003c/li\u003e\n\u003cli\u003eWhen the affected page loads in the victim's browser, the stored malicious JavaScript payload is executed within the context of the victim's session.\u003c/li\u003e\n\u003cli\u003eThis client-side execution can lead to session hijacking (e.g., cookie theft), redirection to malicious sites, defacement of the webpage, or the download and execution of further malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, potentially gaining unauthorized access to sensitive information or control over the victim's session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-6820 can lead to severe consequences for organizations utilizing the VikBooking Hotel Booking Engine \u0026amp; PMS plugin. Attackers can hijack administrator sessions, leading to full compromise of the WordPress site, including data exfiltration, website defacement, or malware distribution to visitors. For regular users, session hijacking could expose personal booking details or lead to credential theft via phishing. Given the plugin's function, hospitality businesses and any entity managing bookings online are particularly vulnerable. While no specific victim count is available, the widespread use of WordPress and its plugins suggests a significant potential attack surface, impacting reputation, data privacy, and operational continuity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eImmediately update the VikBooking Hotel Booking Engine \u0026amp; PMS plugin to version 1.8.9 or higher to patch CVE-2026-6820.\u003c/li\u003e\n\u003cli\u003eDeploy or update Web Application Firewall (WAF) rules to detect and block common Stored XSS payloads, specifically targeting inputs to WordPress endpoints that handle the 'email' parameter as described for CVE-2026-6820.\u003c/li\u003e\n\u003cli\u003eReview web server access logs (e.g., Apache, Nginx) for HTTP POST requests to WordPress paths containing the 'email' parameter with suspicious characters, such as \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e, \u003ccode\u003eonerror=\u003c/code\u003e, or \u003ccode\u003ejavascript:\u003c/code\u003e, which could indicate exploitation attempts of CVE-2026-6820.\u003c/li\u003e\n\u003cli\u003eConduct security audits of all WordPress installations and plugins to identify and remediate similar input sanitization and output escaping vulnerabilities.\u003c/li\u003e\n\u003c/ol\u003e\n","date_modified":"2026-07-08T13:21:24Z","date_published":"2026-07-08T13:21:24Z","id":"https://feed.craftedsignal.io/briefs/2026-07-vikbooking-xss/","summary":"An unauthenticated Stored Cross-Site Scripting vulnerability (CVE-2026-6820) in the VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress versions up to 1.8.8 allows attackers to inject malicious web scripts via the 'email' parameter, leading to client-side code execution in victims' browsers.","title":"CVE-2026-6820: VikBooking WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-vikbooking-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - WordPress","version":"https://jsonfeed.org/version/1.1"}