CVE-2026-58480 Overview
CVE-2026-58480 is an unauthenticated arbitrary file upload vulnerability in the Blocksy Companion Pro plugin for WordPress before version 2.1.47. The flaw resides in the save_attachments function exposed through the Advanced Reviews feature. The Custom Fonts extension performs a weak strpos() substring check on filenames instead of validating the true file extension. Attackers can bypass this validation by supplying double-extension filenames such as shell.woff2.php, which pass the substring match while the web server executes them as PHP. Successful exploitation allows remote code execution on the underlying WordPress host without any authentication [CWE-434].
Critical Impact
Unauthenticated attackers can upload and execute arbitrary PHP files, leading to full remote code execution on affected WordPress sites.
Affected Products
- Blocksy Companion Pro plugin for WordPress, versions prior to 2.1.47
- WordPress sites with the Advanced Reviews feature enabled
- WordPress sites with the Custom Fonts extension enabled
Discovery Timeline
- 2026-07-08 - CVE-2026-58480 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-58480
Vulnerability Analysis
The vulnerability exists in the save_attachments function reachable through the plugin's Advanced Reviews feature via the blc-review-images parameter. The endpoint is exposed without authentication, so any anonymous visitor can invoke it. The Custom Fonts extension is responsible for validating attachment filenames before they are written to disk. Its validation logic relies on strpos() to look for allowed font extensions such as .woff2 anywhere within the filename string. This substring approach does not anchor the check to the real, final extension of the file.
An attacker submits a filename containing a permitted substring followed by an executable extension, for example shell.woff2.php. The strpos() check succeeds because the string woff2 is present, and the file is saved to a web-accessible directory. When Apache or another PHP-enabled web server resolves the file, it executes it as PHP based on the trailing .php extension, yielding remote code execution as the web server user.
Root Cause
The root cause is improper input validation of uploaded filenames [CWE-434]. Substring matching using strpos() is not equivalent to extension validation. Safe implementations must parse the actual final extension, use an allowlist, and reject filenames containing multiple extensions or executable suffixes.
Attack Vector
The attack is remote and network-based. An attacker sends a crafted HTTP POST request to the plugin's save_attachments handler with a double-extension file in the blc-review-images parameter. No credentials, user interaction, or prior access are required. Once the file is written to the uploads directory, the attacker requests its URL, and the server executes the embedded PHP payload.
No verified public proof-of-concept code is referenced in the advisory. See the VulnCheck Security Advisory and the Wordfence Vulnerability Analysis for technical details.
Detection Methods for CVE-2026-58480
Indicators of Compromise
- New PHP files inside wp-content/uploads/ or plugin-controlled attachment directories, especially with double extensions such as .woff2.php, .jpg.php, or .png.php
- HTTP POST requests to plugin endpoints containing the blc-review-images parameter from unauthenticated sources
- Outbound connections from the PHP-FPM or web server process to unfamiliar hosts following upload activity
Detection Strategies
- Inspect web server access logs for POST requests referencing save_attachments, blc-review-images, or Blocksy Companion review endpoints originating from unauthenticated clients
- Alert on file writes to the WordPress uploads directory where the resulting filename contains more than one extension or ends in .php, .phtml, or .phar
- Correlate file creation events in wp-content/uploads/ with immediate GET requests to the same file path, a common webshell access pattern
Monitoring Recommendations
- Enable file integrity monitoring on the WordPress installation directory and uploads path
- Forward web server access logs, PHP error logs, and plugin activity to a centralized log platform for correlation
- Monitor process lineage where the web server user spawns shells, curl, wget, or scripting interpreters
How to Mitigate CVE-2026-58480
Immediate Actions Required
- Update Blocksy Companion Pro to version 2.1.47 or later on all WordPress sites
- Audit wp-content/uploads/ for suspicious files with double extensions or PHP content and remove any confirmed webshells
- Rotate WordPress administrator credentials, API keys, and database passwords if compromise is suspected
- Review web server logs for prior exploitation attempts referencing blc-review-images or the save_attachments endpoint
Patch Information
The vendor addressed the flaw in Blocksy Companion Pro version 2.1.47 by hardening filename and extension validation in the save_attachments function. Refer to the Patchstack Vulnerability Report and the WordPress Blocksy Companion Plugin page for the fixed release.
Workarounds
- If immediate patching is not possible, disable the Blocksy Companion Pro plugin or specifically the Advanced Reviews and Custom Fonts extensions
- Configure the web server to prevent PHP execution within the wp-content/uploads/ directory using directives that disable script handlers for that path
- Deploy a web application firewall rule to block unauthenticated POST requests containing the blc-review-images parameter or filenames with multiple extensions
# Example Apache configuration to block PHP execution in uploads
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar|php[0-9])$">
Require all denied
</FilesMatch>
php_flag engine off
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

