Executive Summary

A critical vulnerability, CVE-2026-15158, with a CVSS score of 9.8, has been discovered in the Blocksy Companion plugin for WordPress. This vulnerability allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. The vulnerability is exploitable only when the premium version of the plugin (blocksy-companion-pro) is installed with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active.

Technical Analysis

The vulnerability is classified as an Arbitrary File Upload vulnerability. The attack vector involves the save_attachments function in the Blocksy Companion plugin. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that approves filenames containing .woff2 or .ttf as substrings, rather than validating them as final extensions. This allows double-extension filenames, such as shell.woff2.php, to pass MIME validation and be handled as permitted font files.

How It Gets Exploited

An unauthenticated remote attacker on the same network can exploit this vulnerability. The attacker would send a crafted request to the save_attachments function, including a malicious file with a double extension (e.g., shell.woff2.php). The plugin's flawed validation mechanism would approve this file, allowing it to be uploaded. Once uploaded, the attacker could execute the malicious file, achieving remote code execution as the web service user.

Impact Assessment

The Blocksy Companion plugin versions up to and including 2.1.46 are affected. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. Successful exploitation could lead to remote code execution, allowing an attacker to gain control over the affected system.

Recommended Actions

To mitigate this vulnerability, update the Blocksy Companion plugin to a version that addresses this issue (no patched version is specified in the source data, so checking for updates is necessary). Specifically, ensure that the premium version of the plugin (blocksy-companion-pro) is updated or that the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions are deactivated if they are not required. Additionally, monitoring for suspicious file uploads and implementing a web application firewall (WAF) rule to block malicious requests can help detect and prevent exploitation attempts.

Sources

- National Vulnerability Database (NVD) - Wordfence