Sherlockforensics
Critical RCE Vulnerability in Blocksy Companion Pro Plugin Discovered
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical vulnerability, CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47. This unauthenticated arbitrary file upload vulnerability allows attackers to upload executable files by bypassing extension validation through the Advanced Reviews feature. Exploitation can occur via the Custom Fonts extension's flawed strpos() check, enabling remote code execution when double-extension filenames like shell.woff2.php are uploaded. The vulnerability has a CVSS score of 9.8, indicating a severe risk for organizations using affected versions. Users are advised to patch immediately to mitigate potential exploitation. The CVE was published on 2026-07-08, and organizations are urged to assess their exposure to this critical flaw.
Key Points: • CVE-2026-58480 is a critical RCE vulnerability with a CVSS score of 9.8. • The vulnerability affects Blocksy Companion Pro plugin for WordPress versions before 2.1.47. • Attackers can exploit the flaw to upload malicious files without authentication.