COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-58480

CVE-2026-58480

Severity
critical
Source
NVD · cve
Published
2026-07-08
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-58480
⚡ RCE shame 45/100 rceunpatchedexploited-in-wild

A WordPress plugin allows unauthenticated attackers to execute arbitrary code via double-extension file uploads.

CVE-2026-58480 in Blocksy Companion Pro enables remote code execution by exploiting a flawed extension validation check in the save_attachments function, allowing attackers to upload and execute files like shell.woff2.php. DIB organizations using WordPress-based systems face immediate exposure to unauthenticated RCE, requiring urgent patching and review of all WordPress plugin dependencies.

Shame score — The vulnerability stems from a known flaw in plugin logic rather than vendor negligence, but the unauthenticated RCE severity demands high priority remediation.

Description

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.