CVE-2026-58480: Critical Unauthenticated Arbitrary File Upload Vulnerability in Blocksy Companion Pro Plugin
A critical vulnerability (CVE-2026-58480, CVSS 9.8) exists in the Blocksy Companion Pro plugin for WordPress before version 2.1.47. This unauthenticated arbitrary file upload vulnerability allows attackers to upload executable files, bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Successful exploitation leads to remote code execution. Immediate patching is recommended.