External risk intelligence

Blocksy Companion Arbitrary File Upload Leading to Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-15158

The vulnerability affects a WordPress plugin, which by design powers public-facing websites. Because the flaw is reachable via unauthenticated requests to web endpoints, it is exposed to the public internet by default in any standard deployment where this plugin and the associated extensions are active.

Unrestricted File Upload

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Blocksy Companion WordPress plugin's premium version, when specific extensions are active, could allow unauthenticated attackers to upload and execute arbitrary files, potentially leading to remote code execution. The main concern is confirming relevance and exposure to specific configurations.

  • Allows attackers to upload malicious files.
  • Premium plugin feature with specific extensions active.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can upload a malicious file to a WordPress site by exploiting a flaw in the Blocksy Companion plugin's Custom Fonts extension. This occurs when the premium version of the plugin is installed along with the WooCommerce Extra and Custom Fonts extensions, allowing an attacker to bypass file type validation and upload executable files that can lead to remote code execution.

  • No authentication required.
  • Upload executable files via file extension bypass.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When the premium version of the Blocksy Companion plugin is installed with specific extensions (WooCommerce Extra and Custom Fonts), unauthenticated attackers could upload executable files. This could lead to remote code execution under these specific conditions.

  • Executable files could be uploaded.
  • Uploads may occur via crafted filenames.
  • Remote code execution is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Blocksy Companion plugin's premium version, when combined with specific extensions, presents a critical Arbitrary File Upload vulnerability. This issue likely falls under the purview of application owners or platform teams responsible for WordPress deployments, with potential involvement from network or security teams to assess external exposure. The immediate priority is to identify all instances of the affected plugin configuration, determine their business criticality and network reachability, and then escalate to the accountable owners for remediation planning.

  • App owners must identify affected installations.
  • Verify premium plugin and extension usage.
  • Plan remediation based on risk exposure.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Blocksy Companion plugin?

Blocksy Companion is a utility plugin for the WordPress content management system designed to extend the functionality of the Blocksy theme. It provides various features to enhance site customization and management, often packaged with premium extensions that add advanced capabilities like WooCommerce integration or custom font management to the website's administrative interface.

What does CWE-434 mean for CVE-2026-15158?

CWE-434 refers to an Unrestricted Upload of File with Dangerous Type. In this specific case, the vulnerability exists because the software fails to properly verify if an uploaded file is actually a safe font file. Instead of checking the full file extension, it only looks for specific text within the filename, which allows attackers to bypass security checks and upload files that the server might execute.

How can an attacker trigger this vulnerability?

An attacker triggers this by submitting a crafted file with a double extension, such as 'shell.woff2.php', to the affected feature. The system incorrectly validates this as a safe font file because it contains '.woff2'. Note that the free version of the plugin does not contain this flaw; the vulnerability only exists when the premium version is active along with both the Custom Fonts and WooCommerce Extra extensions.

Why is my site's Halo Surface Signal relevant here?

Halo Surface Signal identifies this as 'Very likely' to be exposed because WordPress sites are typically public-facing by design. Since the vulnerability is reachable through unauthenticated web requests, any site running the specific combination of premium extensions is effectively exposed to the public internet, making it a higher priority for verification.

How should I respond if I use this software?

First, verify if your installation uses the premium version of Blocksy Companion with the Custom Fonts and WooCommerce Extra extensions enabled. If these specific components are active, prioritize identifying these instances and restricting their network reachability while you prepare to update or disable the affected extensions to eliminate the risk of unauthorized file execution.

References