Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network file-upload RCE (AV:N/PR:N/UI:N) with full CIA impact, but AC:H reflects the required PHP-execution-in-uploads server condition (AT:P in 4.0).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.
Articles & Coverage 2
AnalysisAI
Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated attackers upload executable PHP files through the Advanced Reviews feature, taking over the site. The save_attachments function relies on a flawed strpos() substring check inherited from the Custom Fonts extension, so a double-extension filename like shell.woff2.php passes validation while the server executes it as PHP. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running Blocksy Companion Pro before 2.1.47 with the Advanced Reviews feature exposed (the save_attachments upload path reachable via the blc-review-images parameter), and - reflected in the CVSS AT:P flag - the web server must be configured to execute PHP files from the plugin's upload/attachments directory, which is the default on most WordPress/LAMP deployments but can be disabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue rather than a high-score-low-risk case. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an unauthenticated HTTP POST to the plugin's review-image upload endpoint carrying a file named shell.woff2.php whose body contains PHP code; the strpos() check sees 'woff2' and accepts it. The attacker then requests the stored file's URL, the web server executes the embedded PHP, and the attacker gains remote code execution and full control of the WordPress site. … |
| Remediation | Vendor-released patch: upgrade Blocksy Companion (Pro) to version 2.1.47 or later, available via https://wordpress.org/plugins/blocksy-companion/ and the vendor/VulnCheck advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations running Blocksy Companion Pro and document current plugin versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42233
GHSA-r58f-77hp-phcj