CVE-2026-15158

CreativeThemesHQ · Blocksy Companion

A flaw in the Blocksy Companion plugin's file validation allows unauthenticated attackers to upload malicious files, leading to remote code execution when specific premium extensions are active.

Executive summary

A critical arbitrary file upload vulnerability in the Blocksy Companion plugin for WordPress allows unauthenticated attackers to achieve remote code execution.

Vulnerability

The plugin uses improper validation for file extensions in the save_attachments function, allowing files with double extensions (e.g., .php files disguised as .woff2) to be uploaded and executed by the server.

Business impact

This vulnerability allows unauthenticated attackers to execute arbitrary code on the WordPress host, which can lead to complete site takeover, database theft, or the distribution of malware to site visitors. The CVSS score of 9.8 reflects the high risk of total system compromise.

Remediation

Immediate Action: Update the Blocksy Companion plugin to the latest version immediately to patch the file validation logic.

Proactive Monitoring: Monitor site logs for unusual file upload requests or attempts to access newly created files in the uploads directory.

Compensating Controls: Use a WordPress security plugin to restrict file uploads and monitor for unauthorized changes to the site's filesystem.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is severe and poses a direct threat to the integrity and availability of the WordPress site. Administrators must verify if the vulnerable premium extensions are in use and apply the update immediately to mitigate the risk of remote code execution.