A critical flaw in the WordPress Blocksy Companion Pro plugin allows an adversary to commandeer a website running the popular software simply by uploading a spoofed file with the extension spoofed to “shell.woff2.php”.
Users of the widely bundled plugin, with over 300,000 active installs, are urged to update to Blocksy Companion Pro version 2.1.47 immediately. Tracked as CVE-2026-58480 and rated 9.8 out of 10 on the CVSS severity scale, requires no login and no user interaction to exploit.
Classified as an unauthenticated arbitrary file upload vulnerability, the CVE record states the flaw allows attackers to upload executable files by bypassing extension validation in the “save_attachments” function exposed through the Advanced Reviews feature.
“Attackers can exploit the Custom Fonts extension’s flawed strpos substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution,” according to the vendor’s security bulletin.
The substring check sees “.woff2” and passes the file, while the web server sees the trailing “.php” and executes it as code, handing the attacker remote code execution with the permissions of the web server itself.
The results are a worst-case scenario for targeted sites. The vulnerability is exploitable remotely, requiring no privileges, no user interaction and no special skills. A successful attack gives the attacker full control over the site.
Double-extension bypasses are an old trick, but keep working. That’s because plugin developers keep writing their own ad hoc validation instead of relying on hardened, shared upload-handling libraries.
With unauthenticated remote code execution and a CVSS score of 9.8, this bug is a prime target for mass scanning. Patchstack’s State of WordPress Security in 2026 report found that highly exploitable vulnerabilities like this one are often weaponized within hours of disclosure — the weighted median time to first mass exploitation across the WordPress ecosystem was just five hours in 2025.
Site owners should not wait for signs of compromise before updating.