Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58480

CVE-2026-58480: Blocksy Companion Pro RCE Vulnerability

CVE-2026-58480 is an unauthenticated file upload vulnerability in Blocksy Companion Pro for WordPress that enables remote code execution through double-extension bypass. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-58480 Overview

CVE-2026-58480 is an unauthenticated arbitrary file upload vulnerability in the Blocksy Companion Pro plugin for WordPress before version 2.1.47. The flaw resides in the save_attachments function exposed through the Advanced Reviews feature. The Custom Fonts extension performs a weak strpos() substring check on filenames instead of validating the true file extension. Attackers can bypass this validation by supplying double-extension filenames such as shell.woff2.php, which pass the substring match while the web server executes them as PHP. Successful exploitation allows remote code execution on the underlying WordPress host without any authentication [CWE-434].

Critical Impact

Unauthenticated attackers can upload and execute arbitrary PHP files, leading to full remote code execution on affected WordPress sites.

Affected Products

  • Blocksy Companion Pro plugin for WordPress, versions prior to 2.1.47
  • WordPress sites with the Advanced Reviews feature enabled
  • WordPress sites with the Custom Fonts extension enabled

Discovery Timeline

  • 2026-07-08 - CVE-2026-58480 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-58480

Vulnerability Analysis

The vulnerability exists in the save_attachments function reachable through the plugin's Advanced Reviews feature via the blc-review-images parameter. The endpoint is exposed without authentication, so any anonymous visitor can invoke it. The Custom Fonts extension is responsible for validating attachment filenames before they are written to disk. Its validation logic relies on strpos() to look for allowed font extensions such as .woff2 anywhere within the filename string. This substring approach does not anchor the check to the real, final extension of the file.

An attacker submits a filename containing a permitted substring followed by an executable extension, for example shell.woff2.php. The strpos() check succeeds because the string woff2 is present, and the file is saved to a web-accessible directory. When Apache or another PHP-enabled web server resolves the file, it executes it as PHP based on the trailing .php extension, yielding remote code execution as the web server user.

Root Cause

The root cause is improper input validation of uploaded filenames [CWE-434]. Substring matching using strpos() is not equivalent to extension validation. Safe implementations must parse the actual final extension, use an allowlist, and reject filenames containing multiple extensions or executable suffixes.

Attack Vector

The attack is remote and network-based. An attacker sends a crafted HTTP POST request to the plugin's save_attachments handler with a double-extension file in the blc-review-images parameter. No credentials, user interaction, or prior access are required. Once the file is written to the uploads directory, the attacker requests its URL, and the server executes the embedded PHP payload.

No verified public proof-of-concept code is referenced in the advisory. See the VulnCheck Security Advisory and the Wordfence Vulnerability Analysis for technical details.

Detection Methods for CVE-2026-58480

Indicators of Compromise

  • New PHP files inside wp-content/uploads/ or plugin-controlled attachment directories, especially with double extensions such as .woff2.php, .jpg.php, or .png.php
  • HTTP POST requests to plugin endpoints containing the blc-review-images parameter from unauthenticated sources
  • Outbound connections from the PHP-FPM or web server process to unfamiliar hosts following upload activity

Detection Strategies

  • Inspect web server access logs for POST requests referencing save_attachments, blc-review-images, or Blocksy Companion review endpoints originating from unauthenticated clients
  • Alert on file writes to the WordPress uploads directory where the resulting filename contains more than one extension or ends in .php, .phtml, or .phar
  • Correlate file creation events in wp-content/uploads/ with immediate GET requests to the same file path, a common webshell access pattern

Monitoring Recommendations

  • Enable file integrity monitoring on the WordPress installation directory and uploads path
  • Forward web server access logs, PHP error logs, and plugin activity to a centralized log platform for correlation
  • Monitor process lineage where the web server user spawns shells, curl, wget, or scripting interpreters

How to Mitigate CVE-2026-58480

Immediate Actions Required

  • Update Blocksy Companion Pro to version 2.1.47 or later on all WordPress sites
  • Audit wp-content/uploads/ for suspicious files with double extensions or PHP content and remove any confirmed webshells
  • Rotate WordPress administrator credentials, API keys, and database passwords if compromise is suspected
  • Review web server logs for prior exploitation attempts referencing blc-review-images or the save_attachments endpoint

Patch Information

The vendor addressed the flaw in Blocksy Companion Pro version 2.1.47 by hardening filename and extension validation in the save_attachments function. Refer to the Patchstack Vulnerability Report and the WordPress Blocksy Companion Plugin page for the fixed release.

Workarounds

  • If immediate patching is not possible, disable the Blocksy Companion Pro plugin or specifically the Advanced Reviews and Custom Fonts extensions
  • Configure the web server to prevent PHP execution within the wp-content/uploads/ directory using directives that disable script handlers for that path
  • Deploy a web application firewall rule to block unauthenticated POST requests containing the blc-review-images parameter or filenames with multiple extensions
bash
# Example Apache configuration to block PHP execution in uploads
<Directory "/var/www/html/wp-content/uploads">
    <FilesMatch "\.(php|phtml|phar|php[0-9])$">
        Require all denied
    </FilesMatch>
    php_flag engine off
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.