SYS::ONLINE
Wasteland.
Briefs1138
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-58480 2026-07-08

CVE-2026-58480: Unauthenticated RCE in Blocksy Companion Pro for WordPress

"A critical unauthenticated arbitrary file upload flaw in the Blocksy Companion Pro WordPress plugin lets remote attackers upload PHP files and achieve remote code execution, fixed in version 2.1.47."

A critical unauthenticated arbitrary file upload flaw in the Blocksy Companion Pro WordPress plugin lets remote attackers upload PHP files and achieve remote code execution, fixed in version 2.1.47.

What Is It

CVE-2026-58480 is an unauthenticated arbitrary file upload vulnerability (CWE-434) in the Blocksy Companion Pro plugin for WordPress, published July 8, 2026 by VulnCheck. The flaw lives in the save_attachments function exposed through the Advanced Reviews feature, which handles review image uploads via the blc_review_images parameter. The function uses a flawed strpos() substring check to validate file extensions. By uploading double-extension filenames such as shell.jpg.php, an attacker passes the substring match while the web server executes the file as PHP, achieving remote code execution.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) and a CVSS 4.0 score of 9.2 (CRITICAL). It is exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction. CISA's SSVC assessment rates the technical impact as "total" and marks the flaw as "automatable," meaning attacks can be scripted at scale. Successful exploitation grants high impact to confidentiality, integrity, and availability. Note: the SSVC assessment lists exploitation status as "none"; no active exploitation is confirmed in the supplied data, and there is no CISA KEV entry present.

What's Vulnerable

Patch Status

A fix is available. Administrators should update the Blocksy Companion plugin to version 2.1.47 or later, which resolves the extension-validation bypass. Given the unauthenticated, automatable nature of the flaw, patching should be treated as urgent.

Sources