<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Blocksy - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/blocksy/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 14:19:33 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/blocksy/feed.xml" rel="self" type="application/rss+xml"/><item><title>Critical RCE Vulnerability in Blocksy Companion Pro WordPress Plugin (CVE-2026-58480)</title><link>https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/</link><pubDate>Wed, 08 Jul 2026 14:19:33 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wordpress-blocksy-file-upload-rce/</guid><description>An unauthenticated arbitrary file upload vulnerability (CVE-2026-58480) in Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47 allows attackers to bypass extension validation via double-extension files, leading to remote code execution by forcing the web server to execute uploaded PHP files.</description><content:encoded><![CDATA[<p>A critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress, affecting all versions prior to 2.1.47. This flaw enables remote attackers to achieve arbitrary code execution on vulnerable WordPress installations. The vulnerability resides within the <code>save_attachments</code> function, exposed through the Advanced Reviews feature, where inadequate extension validation allows attackers to upload executable files. Specifically, a flawed <code>strpos()</code> substring check in the Custom Fonts extension's validation mechanism can be bypassed by using double-extension filenames (e.g., <code>shell.woff2.php</code>). This bypass tricks the web server into executing the uploaded file as PHP, giving attackers full control over the compromised website. This vulnerability presents a significant risk to affected organizations, allowing for website defacement, data theft, or further network compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin version prior to 2.1.47.</li>
<li>The attacker crafts a malicious file, such as <code>shell.woff2.php</code>, containing PHP code.</li>
<li>The attacker sends an HTTP POST request to the <code>save_attachments</code> function, which is exposed via the Advanced Reviews feature, attempting to upload the malicious file. This likely targets the <code>admin-ajax.php</code> endpoint.</li>
<li>The plugin's validation process, specifically the <code>strpos()</code> check in the Custom Fonts extension, mistakenly passes the filename <code>shell.woff2.php</code> because it contains the <code>.woff2</code> substring.</li>
<li>The <code>save_attachments</code> function proceeds with the upload, placing the file on the web server.</li>
<li>The web server, recognizing the <code>.php</code> extension, attempts to execute the uploaded file as a PHP script when accessed, leading to remote code execution.</li>
<li>The attacker gains arbitrary code execution, typically establishing a web shell for persistent access and further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-58480 leads to full remote code execution on the compromised WordPress server. This allows attackers to deface websites, inject malicious content, exfiltrate sensitive data (e.g., customer information, intellectual property), establish persistent access via web shells, and potentially pivot to other systems within the network. For businesses relying on WordPress for e-commerce, content delivery, or lead generation, this can result in significant financial losses, reputational damage, and regulatory penalties. The high CVSS score of 9.8 reflects the critical nature of this unauthenticated RCE.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the Blocksy Companion Pro plugin to version 2.1.47 or later to patch CVE-2026-58480.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-58480 Exploitation - Blocksy Companion Pro File Upload Bypass&quot; to your SIEM to detect attempts to exploit this vulnerability.</li>
<li>Enable detailed webserver logging (e.g., Apache access logs, Nginx access logs) to capture full HTTP request details, including URI stems, query strings, and request methods, which are crucial for the detection rule.</li>
<li>Regularly review web server access logs for suspicious file uploads to <code>/wp-content/uploads/</code> or other writable directories, especially for files with double extensions.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>rce</category><category>file-upload</category><category>web</category></item></channel></rss>