<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WordPress - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/wordpress/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 14:19:33 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/wordpress/feed.xml" rel="self" type="application/rss+xml"/><item><title>Critical RCE Vulnerability in Blocksy Companion Pro WordPress Plugin (CVE-2026-58480)</title><link>https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/</link><pubDate>Wed, 08 Jul 2026 14:19:33 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/</guid><description>An unauthenticated arbitrary file upload vulnerability (CVE-2026-58480) in Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47 allows attackers to bypass extension validation via double-extension files, leading to remote code execution by forcing the web server to execute uploaded PHP files.</description><content:encoded><![CDATA[<p>A critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress, affecting all versions prior to 2.1.47. This flaw enables remote attackers to achieve arbitrary code execution on vulnerable WordPress installations. The vulnerability resides within the <code>save_attachments</code> function, exposed through the Advanced Reviews feature, where inadequate extension validation allows attackers to upload executable files. Specifically, a flawed <code>strpos()</code> substring check in the Custom Fonts extension's validation mechanism can be bypassed by using double-extension filenames (e.g., <code>shell.woff2.php</code>). This bypass tricks the web server into executing the uploaded file as PHP, giving attackers full control over the compromised website. This vulnerability presents a significant risk to affected organizations, allowing for website defacement, data theft, or further network compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin version prior to 2.1.47.</li>
<li>The attacker crafts a malicious file, such as <code>shell.woff2.php</code>, containing PHP code.</li>
<li>The attacker sends an HTTP POST request to the <code>save_attachments</code> function, which is exposed via the Advanced Reviews feature, attempting to upload the malicious file. This likely targets the <code>admin-ajax.php</code> endpoint.</li>
<li>The plugin's validation process, specifically the <code>strpos()</code> check in the Custom Fonts extension, mistakenly passes the filename <code>shell.woff2.php</code> because it contains the <code>.woff2</code> substring.</li>
<li>The <code>save_attachments</code> function proceeds with the upload, placing the file on the web server.</li>
<li>The web server, recognizing the <code>.php</code> extension, attempts to execute the uploaded file as a PHP script when accessed, leading to remote code execution.</li>
<li>The attacker gains arbitrary code execution, typically establishing a web shell for persistent access and further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-58480 leads to full remote code execution on the compromised WordPress server. This allows attackers to deface websites, inject malicious content, exfiltrate sensitive data (e.g., customer information, intellectual property), establish persistent access via web shells, and potentially pivot to other systems within the network. For businesses relying on WordPress for e-commerce, content delivery, or lead generation, this can result in significant financial losses, reputational damage, and regulatory penalties. The high CVSS score of 9.8 reflects the critical nature of this unauthenticated RCE.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the Blocksy Companion Pro plugin to version 2.1.47 or later to patch CVE-2026-58480.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-58480 Exploitation - Blocksy Companion Pro File Upload Bypass&quot; to your SIEM to detect attempts to exploit this vulnerability.</li>
<li>Enable detailed webserver logging (e.g., Apache access logs, Nginx access logs) to capture full HTTP request details, including URI stems, query strings, and request methods, which are crucial for the detection rule.</li>
<li>Regularly review web server access logs for suspicious file uploads to <code>/wp-content/uploads/</code> or other writable directories, especially for files with double extensions.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>rce</category><category>file-upload</category><category>web</category></item><item><title>CVE-2026-6820: VikBooking WordPress Plugin Stored XSS Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-vikbooking-xss/</link><pubDate>Wed, 08 Jul 2026 13:21:24 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-vikbooking-xss/</guid><description>An unauthenticated Stored Cross-Site Scripting vulnerability (CVE-2026-6820) in the VikBooking Hotel Booking Engine &amp; PMS plugin for WordPress versions up to 1.8.8 allows attackers to inject malicious web scripts via the 'email' parameter, leading to client-side code execution in victims' browsers.</description><content:encoded><![CDATA[<p>A critical vulnerability, identified as CVE-2026-6820, has been discovered in the VikBooking Hotel Booking Engine &amp; PMS plugin for WordPress, affecting all versions up to and including 1.8.8. This Stored Cross-Site Scripting (XSS) flaw stems from insufficient input sanitization and output escaping of the 'email' parameter. Unauthenticated attackers can exploit this by injecting malicious web scripts into the plugin's data. These scripts are then persistently stored and subsequently executed in the browsers of legitimate users or administrators who access an affected page. The vulnerability, publicly disclosed on July 8, 2026, poses a significant risk to websites using the plugin, potentially leading to session hijacking, defacement, or further client-side exploitation without requiring any prior authentication from the attacker.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts an HTTP POST request targeting a WordPress endpoint handled by the VikBooking plugin (e.g., a booking form submission or a profile update function accessible to unauthenticated users).</li>
<li>The attacker embeds a malicious JavaScript payload within the 'email' parameter of this POST request, for instance, <code>&lt;script&gt;alert('XSS');&lt;/script&gt;</code>.</li>
<li>Due to inadequate input validation, the VikBooking plugin processes and stores this unsanitized 'email' parameter, including the embedded script, into the WordPress database.</li>
<li>The malicious script becomes persistently stored on the server as part of the plugin's data, associated with a booking or user entry.</li>
<li>A legitimate user or administrator subsequently navigates to a WordPress page (e.g., a booking details page, an admin panel view) that retrieves and displays the compromised 'email' parameter from the database.</li>
<li>When the affected page loads in the victim's browser, the stored malicious JavaScript payload is executed within the context of the victim's session.</li>
<li>This client-side execution can lead to session hijacking (e.g., cookie theft), redirection to malicious sites, defacement of the webpage, or the download and execution of further malware.</li>
<li>The attacker achieves their objective, potentially gaining unauthorized access to sensitive information or control over the victim's session.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-6820 can lead to severe consequences for organizations utilizing the VikBooking Hotel Booking Engine &amp; PMS plugin. Attackers can hijack administrator sessions, leading to full compromise of the WordPress site, including data exfiltration, website defacement, or malware distribution to visitors. For regular users, session hijacking could expose personal booking details or lead to credential theft via phishing. Given the plugin's function, hospitality businesses and any entity managing bookings online are particularly vulnerable. While no specific victim count is available, the widespread use of WordPress and its plugins suggests a significant potential attack surface, impacting reputation, data privacy, and operational continuity.</p>
<h2 id="recommendation">Recommendation</h2>
<ol>
<li>Immediately update the VikBooking Hotel Booking Engine &amp; PMS plugin to version 1.8.9 or higher to patch CVE-2026-6820.</li>
<li>Deploy or update Web Application Firewall (WAF) rules to detect and block common Stored XSS payloads, specifically targeting inputs to WordPress endpoints that handle the 'email' parameter as described for CVE-2026-6820.</li>
<li>Review web server access logs (e.g., Apache, Nginx) for HTTP POST requests to WordPress paths containing the 'email' parameter with suspicious characters, such as <code>&lt;script&gt;</code>, <code>onerror=</code>, or <code>javascript:</code>, which could indicate exploitation attempts of CVE-2026-6820.</li>
<li>Conduct security audits of all WordPress installations and plugins to identify and remediate similar input sanitization and output escaping vulnerabilities.</li>
</ol>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>xss</category><category>web-vulnerability</category></item></channel></rss>