eastbaycyber

CVE-2026-58480: Unauthenticated File Upload in Blocksy Companion Pro

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-07-08
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

TL;DR - Critical unauthenticated file upload in Blocksy Companion Pro before 2.1.47. - Attackers may upload executable PHP via double-extension filenames and gain RCE. - Upgrade to 2.1.47 immediately and hunt for suspicious uploaded PHP files.

Vulnerability at a Glance

Field Value
CVE ID CVE-2026-58480
CVSS score 9.8 (Critical)
Attack vector Remote over the network via exposed plugin functionality
Auth required No authentication required
Patch available Yes, upgrade to 2.1.47

CVE-2026-58480 is a critical arbitrary file upload vulnerability in the Blocksy Companion Pro plugin for WordPress. According to the NVD description, the flaw affects Blocksy Companion Pro before 2.1.47 and is reachable without authentication through the plugin’s Advanced Reviews functionality.

The practical risk is high because the bug is not just a file upload issue in theory. The documented exploit path allows attackers to upload a file with a double extension, such as shell.woff2.php, so that a weak validation check accepts the upload while the web server may still execute the final .php extension. In a typical WordPress compromise chain, that can quickly become full site takeover.

What Is This Vulnerability?

The root cause is an improper file type validation check in the plugin’s attachment-handling logic. The NVD description points to the save_attachments function and describes a flawed strpos() substring check tied to the Custom Fonts extension logic. In plain terms, the code appears to look for an allowed extension string somewhere in the filename, rather than enforcing that the filename actually ends with an allowed extension.

That distinction matters. A secure upload filter should validate the true file type and the effective extension that the server will honor. A weak substring check can be bypassed by placing an allowed string inside a malicious filename. For example, if woff2 is allowed, a filename such as shell.woff2.php may pass validation because the string woff2 exists in the name, even though the final executable extension is php.

In WordPress environments, arbitrary file upload vulnerabilities often become remote code execution when two conditions are true: the uploaded file lands in a web-accessible path, and the server is configured to execute PHP from that location. The NVD description explicitly states that this flaw can lead to execution of attacker-supplied PHP, so defenders should treat the issue as an unauthenticated RCE path, not merely a low-impact upload bug.

Technical Notes

A simplified example of the dangerous pattern looks like this:

$filename = $_FILES['file']['name'];

if (strpos($filename, 'woff2') !== false) {
    // Incorrectly treated as safe
    move_uploaded_file($_FILES['file']['tmp_name'], $destination);
}

A safer approach is to validate the actual extension and content type, and to deny executable extensions entirely:

$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
$allowed = ['woff', 'woff2', 'ttf', 'otf'];

if (!in_array($ext, $allowed, true)) {
    exit('Invalid file type');
}
AnalystImpact · assess the risk

Who Is Affected?

The affected product is Blocksy Companion Pro plugin for WordPress. Based on the NVD language, the affected range is before 2.1.47, which means defenders should assume 2.1.46 and earlier are vulnerable, and 2.1.47 is the first fixed version.

The vulnerable path is associated with the plugin’s Advanced Reviews feature and references behavior in the save_attachments function. The research note also ties the validation flaw to the Custom Fonts extension logic. In practice, organizations using Blocksy Companion Pro should not assume they are safe merely because they do not actively use every premium feature. If the vulnerable code is present and reachable, exposure may still exist depending on plugin configuration and how the site handles requests.

Multi-site WordPress deployments, managed hosting fleets, and agencies running many customer sites should prioritize asset inventory immediately. This is especially important where plugin updates are decentralized, because a single outdated premium plugin on one virtual host can become an attacker foothold. If you cannot confirm the installed version, treat the instance as potentially vulnerable until proven otherwise.

Technical Notes

You can verify the installed plugin version locally on a WordPress host by checking the plugin directory and metadata:

grep -R "Version:" /var/www/html/wp-content/plugins/blocksy-companion* -n

In WP-CLI environments, enumerate plugins and versions:

wp plugin list | grep -i blocksy

If the output shows a Blocksy Companion Pro version lower than 2.1.47, the instance should be treated as affected.

CVSS Score Breakdown

The reported CVSS base score is 9.8, which places CVE-2026-58480 in the Critical severity range. Although the full vector string was not available from the source material provided, the score aligns with a vulnerability that is network exploitable, requires no privileges, and can produce high impact on confidentiality, integrity, and availability.

That high score makes sense operationally. Unauthenticated file upload leading to PHP execution generally means an attacker can run arbitrary code in the context of the web server or PHP process. From there, an adversary may alter WordPress content, steal database credentials from configuration files, create administrator accounts, deploy web shells, or pivot deeper into the hosting environment.

Because the full vector string was not available, defenders should avoid over-claiming exact scoring components beyond what is supported by the record. Still, in the absence of the vector, teams should assume the score reflects the most dangerous realistic interpretation of the bug: low attack complexity, no authentication, and severe system compromise potential.

Technical Notes

Reasonable defensive assumptions based on the 9.8 score include:

  • Attack surface: internet-exposed WordPress application
  • Privileges required: none
  • User interaction: likely none for exploitation
  • Impact: possible full site compromise

If your risk register or change board requires the exact CVSS vector string, fetch and verify it directly from the NVD record before documenting it internally.

Exploitation Status

At the time of writing, public exploitation mechanics are known, but confirmed in-the-wild exploitation has not been established from the sources provided. The NVD record and referenced third-party advisories describe a practical attack path using a double-extension filename such as shell.woff2.php. That means defenders should assume exploit development is straightforward even if a standalone public GitHub PoC was not independently confirmed here.

CISA’s Known Exploited Vulnerabilities catalog status is also important context. The research note indicates CVE-2026-58480 is not listed in KEV. That means there is no CISA confirmation of active exploitation in the wild at this time. However, lack of KEV status should not be read as low risk. Internet-exposed WordPress plugin flaws with unauthenticated RCE potential are often opportunistically scanned and abused quickly once technical details circulate.

The best current assessment is:

  • Public PoC or exploit path known: Yes, the technique is publicly described.
  • Active exploitation confirmed in the wild: Unknown from available evidence.
  • CISA KEV listed: No.

Technical Notes

Defenders should monitor threat intel sources for changes in status, especially:

  • Patchstack advisory updates
  • Wordfence threat intelligence updates
  • VulnCheck reporting
  • CISA KEV additions

In the absence of confirmed exploitation data, the prudent assumption for exposed sites is that opportunistic scanning is likely.

ResponderRunbook · act now

How to Detect It

Detection should focus on three areas: plugin version exposure, suspicious file upload activity, and post-upload execution attempts. Start by identifying all WordPress instances running Blocksy Companion Pro and isolate those below 2.1.47. Version exposure alone is enough to prioritize emergency maintenance.

Next, inspect web server and WordPress logs for requests involving the review attachment workflow, suspicious multipart file uploads, and double-extension filenames containing strings like .woff2.php, .ttf.php, or .otf.php. Because the vulnerable path is tied to Advanced Reviews and save_attachments, any unauthenticated POST requests associated with review-image or attachment parameters deserve scrutiny.

Finally, hunt the filesystem for recently created PHP files under upload directories or plugin-related asset paths. In many WordPress intrusions, the first obvious indicator is not the upload itself but a follow-on GET request that executes the uploaded shell.

Technical Notes

Example filesystem hunt for suspicious PHP in upload paths:

find /var/www/html/wp-content/uploads -type f \( -name "*.php" -o -name "*.phtml" -o -name "*.php*" \) -ls

Search for suspicious double-extension uploads in web logs:

grep -RIE "woff2\.php|woff\.php|ttf\.php|otf\.php|blc-review-images|save_attachments" /var/log/nginx /var/log/apache2 2>/dev/null

Example suspicious log patterns to investigate:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Disposition: form-data; name="file"; filename="shell.woff2.php"

POST /?rest_route=... HTTP/1.1
multipart/form-data; boundary=...
filename="review-image.ttf.php"

GET /wp-content/uploads/2026/07/shell.woff2.php HTTP/1.1

Example Splunk query for web logs:

index=web (".woff2.php" OR ".ttf.php" OR ".otf.php" OR "blc-review-images" OR "save_attachments")
| stats count by host, uri, src_ip, http_method, user_agent

If you do not retain multipart request bodies, look for the telltale sequence of a POST upload followed by a GET or POST to the uploaded PHP path from the same source IP or user agent.

Mitigation and Patching

The primary mitigation is to upgrade Blocksy Companion Pro to version 2.1.47 or later. The affected range is explicitly before 2.1.47, so that version is the minimum safe target based on currently available information. If you manage multiple WordPress estates, patching should be paired with validation that no malicious files were already uploaded before the fix was applied.

If you cannot patch immediately, reduce exposure by temporarily disabling the vulnerable plugin or the affected feature set if your operational model allows it. Additional containment steps include blocking PHP execution from upload directories, tightening web application firewall rules around suspicious multipart uploads, and restricting direct access to uploaded content. These are workarounds, not substitutes for the vendor fix, because the vulnerable code path remains present until the plugin is upgraded.

You should also assume that a vulnerable internet-facing site may already be compromised. After patching, review administrator accounts, scheduled tasks, wp-config.php, theme functions.php, mu-plugins, and upload directories for persistence or dropped shells.

Technical Notes

WP-CLI upgrade workflow:

wp plugin list | grep -i blocksy
wp plugin update blocksy-companion

If your environment uses manual plugin deployment, verify the installed version after upgrade:

grep -R "Version:" /var/www/html/wp-content/plugins/blocksy-companion* -n

Temporary Apache hardening to prevent PHP execution in uploads:

<Directory "/var/www/html/wp-content/uploads">
    php_admin_flag engine off
    <FilesMatch "\.ph(p[0-9]?|tml)$">
        Require all denied
    </FilesMatch>
</Directory>

Temporary Nginx hardening example:

location ~* ^/wp-content/uploads/.*\.(php|phtml|php[0-9]?)$ {
    deny all;
}

If you must disable the plugin pending maintenance:

wp plugin deactivate blocksy-companion

Use that only as a temporary control, because it may affect site functionality.

References

The most authoritative starting point is the NVD entry for CVE-2026-58480, which documents the vulnerability as an unauthenticated arbitrary file upload in Blocksy Companion Pro before 2.1.47 and explains the double-extension bypass via the save_attachments function. That record is the anchor for product scope, severity, and fixed-version threshold.

Additional third-party advisories provide supporting context on exploitation mechanics, affected versions, and operational risk. These include Patchstack, VulnCheck, and Wordfence. Product and vendor context for Blocksy Companion and Creative Themes can be validated through the official Blocksy Companion pages.

For further reading on related vulnerabilities, you can visit the following links: What is Kerberoasting? and How to Prevent Prompt Injection in LLM Applications.

Technical Notes

Primary references:

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-08

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.