External risk intelligence

Blocksy Companion Pro Unauthenticated Arbitrary File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-58480

The vulnerability resides in a WordPress plugin that implements public-facing features such as Advanced Reviews. Because these features are intended to be accessed by web site visitors, the vulnerable code path is commonly exposed to the internet as part of a public web application.

Unrestricted File Upload

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in a WordPress plugin, specifically within its file upload functionality. This issue could allow unauthorized individuals to upload and execute malicious files on affected systems, potentially leading to a compromise of the website and its underlying data. The main concern is to confirm if this plugin is in use and if it is exposed to external access.

  • Unauthenticated file uploads can lead to code execution.
  • Website compromise is a potential business risk.
  • Confirm plugin usage and external exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by uploading a specially crafted file through the plugin's Advanced Reviews feature, bypassing security checks. This could allow an attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the website.

  • Unauthenticated access required.
  • Upload executable files via Advanced Reviews.
  • Remote code execution risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to upload and execute arbitrary files on a WordPress site when the Advanced Reviews feature is enabled. This could lead to the compromise of the website's server.

  • Website server files and data.
  • Via unauthenticated file upload in Advanced Reviews.
  • Remote code execution and site compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Website owners and platform administrators are responsible for addressing this vulnerability. The immediate first step is to identify all WordPress sites using the affected plugin, determine their exposure and business criticality, and then coordinate remediation with the website owner and any relevant development or infrastructure teams.

  • Website owners should own remediation.
  • Verify plugin usage and exposure.
  • Plan updates during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Blocksy Companion Pro plugin?

Blocksy Companion Pro is an add-on for the Blocksy WordPress theme. It provides advanced tools to enhance site functionality, such as the Advanced Reviews feature and custom font management. These plugins are typically installed to provide site owners with more design control and interactive capabilities for their visitors.

What is the CWE-434 vulnerability in CVE-2026-58480?

This is an Unrestricted Upload of File with Dangerous Type vulnerability. It means the software does not sufficiently verify that an uploaded file is safe before saving it. In this case, the plugin fails to properly validate file extensions, allowing someone to sneak in an executable script disguised as an allowed file type.

Do I need to be logged in to trigger this bug?

No. The vulnerability is unauthenticated, meaning an attacker does not need a user account or special permissions to trigger it. However, the flaw specifically involves the Advanced Reviews feature. If this feature is disabled, the specific code path that processes these file uploads is not reached.

Why is this vulnerability considered internet-facing?

Halo Surface Signal identifies this as a likely external risk because the affected Advanced Reviews feature is designed for public interaction. Since these features are built to accept inputs from web visitors, the vulnerable upload function is naturally exposed to the internet on any site where the feature is active.

How do I secure my site against CVE-2026-58480?

The most effective response is to update the Blocksy Companion Pro plugin to version 2.1.47 or higher immediately. If an update is not immediately possible, disable the Advanced Reviews feature to remove the entry point for the file upload until you can apply the vendor-provided security update.

References