PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58480 Creative Themes CVE debrief

The Blocksy Companion Pro plugin for WordPress contains an unauthenticated file-upload vulnerability, allowing attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames, such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution. This issue is considered critical, with a CVSS score of 9.2, and affects WordPress sites with the Blocksy Companion Pro plugin installed.

Vendor
Creative Themes
Product
Blocksy Companion
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Administrators and users of WordPress sites with the Blocksy Companion Pro plugin installed should be aware of this vulnerability and take immediate action to protect their sites. This includes updating the plugin to version 2.1.47 or later, restricting access to the Advanced Reviews feature, and implementing additional security measures such as web application firewalls and intrusion detection systems.

Technical summary

The vulnerability exists due to insufficient validation of user input in the plugin's save_attachments function. Attackers can exploit this by uploading double-extension filenames, allowing them to bypass security checks and execute files as PHP, leading to remote code execution. The Custom Fonts extension's flawed strpos() substring check is a key factor in this vulnerability, as it allows attackers to craft filenames that pass validation but are executed as PHP code.

Defensive priority

High

Recommended defensive actions

  • Update the Blocksy Companion Pro plugin to version 2.1.47 or later.
  • Restrict access to the Advanced Reviews feature to authenticated users only.
  • Implement additional security measures, such as web application firewalls and intrusion detection systems, to monitor and block suspicious traffic.
  • Regularly review and update plugins and themes to ensure they are up-to-date and secure.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The vulnerability was reported by Patchstack and is tracked as CVE-2026-58480. The NVD entry is currently Deferred. Evidence of exploitation has not been reported, but defenders should verify logs for suspicious activity related to file uploads and execution. The Blocksy Companion Pro plugin's Advanced Reviews feature is particularly vulnerable, and users should focus on securing this functionality.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:19.977Z and has not been modified since then. The NVD entry is currently Deferred.