CVE-2026-58480
Creative Themes · Blocksy Companion
The Blocksy Companion WordPress plugin is vulnerable to unauthenticated arbitrary file uploads via the save_attachments function, enabling remote code execution by bypassing file extension validation.
Executive summary
An unauthenticated arbitrary file upload vulnerability in the Blocksy Companion plugin for WordPress poses a critical risk of remote code execution.
Vulnerability
This vulnerability exists due to improper input validation in the save_attachments function, which allows unauthenticated attackers to upload malicious files. By utilizing double-extension filenames, an attacker can bypass the extension filter and trigger execution of arbitrary PHP code on the underlying web server.
Business impact
A successful exploit grants an attacker full remote code execution capabilities on the host server. This could lead to a complete compromise of the WordPress environment, unauthorized access to site databases, and the potential for lateral movement within the hosting infrastructure. Given the 9.8 CVSS score, this vulnerability represents an immediate and severe threat to business continuity and data integrity.
Remediation
Immediate Action: Update the Blocksy Companion plugin to version 2.1.47 or later immediately.
Proactive Monitoring: Review web server access logs for requests targeting the Advanced Reviews feature or suspicious file paths containing double extensions (e.g., .php.woff2).
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block file uploads containing prohibited extensions or suspicious patterns in request parameters.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The ability for an unauthenticated attacker to execute arbitrary code makes this a top-priority remediation item. Administrators must verify their current plugin version and apply the update without delay to prevent potential site takeovers.