SYS::ONLINE
Wasteland.
Briefs1143
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-15158 2026-07-09

CVE-2026-15158: Unauthenticated RCE in Blocksy Companion Pro for WordPress

"A critical arbitrary file upload flaw in the premium Blocksy Companion plugin for WordPress lets unauthenticated attackers upload executable files and achieve remote code execution."

A critical arbitrary file upload flaw in the premium Blocksy Companion plugin for WordPress lets unauthenticated attackers upload executable files and achieve remote code execution.

What Is It

CVE-2026-15158 is an arbitrary file upload vulnerability (CWE-434) in the Blocksy Companion plugin for WordPress, present in all versions up to and including 2.1.46. The flaw lives in the save_attachments function. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that approves any filename merely containing .woff2 or .ttf as a substring, using strpos() instead of validating the final extension via PATHINFO_EXTENSION. As a result, double-extension filenames such as shell.woff2.php pass MIME validation and are handled as permitted font files, opening the door to remote code execution.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is exploitable over the network, requires low attack complexity, needs no privileges, and requires no user interaction. Because unauthenticated attackers can upload potentially executable files, successful exploitation can lead to full remote code execution with high impact to confidentiality, integrity, and availability. As of this writing, the vulnerability is not listed in the CISA KEV catalog, and no active exploitation has been confirmed in the supplied source material.

What's Vulnerable

Exploitation is only possible when the premium blocksy-companion-pro version is installed with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active. The free blocksy-companion plugin does not contain the vulnerable code paths.

Patch Status

The supplied source material does not include a fixed version or a specific required-action deadline. Because all versions up to and including 2.1.46 are affected, administrators should update Blocksy Companion Pro to a version newer than 2.1.46 once available, or disable the affected extensions in the interim.

Sources