Critical RCE Vulnerability in Blocksy Companion Pro Plugin Discovered

Critical RCE Vulnerability in Blocksy Companion Pro Plugin Discovered

First seen 9 Jul 2026, 18:11 UTC Sherlockforensicsnvd.nist.govpatchstack.com 79% similarity 78.0

Article Content

Browse articles
ThreatCluster

A critical vulnerability, CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress versions prior to 2.1.47. This unauthenticated arbitrary file upload vulnerability allows attackers to upload executable files by bypassing extension validation through the Advanced Reviews feature. Exploitation can occur via the Custom Fonts extension's flawed strpos() check, enabling remote code execution when double-extension filenames like shell.woff2.php are uploaded. The vulnerability has a CVSS score of 9.8, indicating a severe risk for organizations using affected versions. Users are advised to patch immediately to mitigate potential exploitation. The CVE was published on 2026-07-08, and organizations are urged to assess their exposure to this critical flaw.

Key Points: • CVE-2026-58480 is a critical RCE vulnerability with a CVSS score of 9.8. • The vulnerability affects Blocksy Companion Pro plugin for WordPress versions before 2.1.47. • Attackers can exploit the flaw to upload malicious files without authentication.

ThreatCluster AI

Timeline

2026-07-08
CVE-2026-58480 published
The National Vulnerability Database published the critical vulnerability affecting Blocksy Companion Pro plugin.
nvd.nist.gov

Community

Browse all →