Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter
Summary
| CVE | CVE-2026-15158 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-09 10:16:25 UTC |
| Updated | 2026-07-09 16:19:45 UTC |
| Description | The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that approves any filename containing .woff2 or .ttf as a substring via strpos() rather than validating that those strings appear as the final extension via PATHINFO_EXTENSION — allowing double-extension filenames such as shell.woff2.php to pass MIME validation and be handled as permitted font files. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. This vulnerability is only exploitable when the premium version of the plugin (blocksy-companion-pro) is installed with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active; the free blocksy-companion plugin does not contain the vulnerable code paths. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.009950000 probability, percentile 0.585600000 (date 2026-07-13)
Problem Types: CWE-434 | CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Creativethemeshq | Blocksy Companion | affected 2.1.46 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.46/framework/premium/exten... | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/2df449b4-3f3b-4afc-b391-8d8d1... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.46/framework/premium/exten... | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Nguyen Ba Khanh (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-06-24T17:51:22.000Z | Vendor Notified |
| CNA | 2026-07-01T13:28:35.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.