GHSA-r58f-77hp-phcjCriticalCVSS 9.8

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary...

Published
July 8, 2026
Last Modified
July 8, 2026

🔗 CVE IDs covered (1)

📋 Description

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.

🔗 References (6)