Illustration of a cracked shield bearing the WordPress logo next to a broken padlock and warning triangle, symbolizing a WordPress security vulnerability

Critical Blocksy WordPress Plugin Bug Lets Attackers Skip Login Entirely

A double-extension trick — naming a file shell.woff2.php — is enough to bypass validation and run code as the web server.

A critical flaw in the WordPress Blocksy Companion Pro plugin allows an adversary to commandeer a website running the popular software simply by uploading a spoofed file with the extension spoofed to “shell.woff2.php”.

Users of the widely bundled plugin, with over 300,000 active installs, are urged to update to Blocksy Companion Pro version 2.1.47 immediately. Tracked as CVE-2026-58480 and rated 9.8 out of 10 on the CVSS severity scale, requires no login and no user interaction to exploit.

Classified as an unauthenticated arbitrary file upload vulnerability, the CVE record states the flaw allows attackers to upload executable files by bypassing extension validation in the “save_attachments” function exposed through the Advanced Reviews feature.

“Attackers can exploit the Custom Fonts extension’s flawed strpos substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution,” according to the vendor’s security bulletin.  

The substring check sees “.woff2” and passes the file, while the web server sees the trailing “.php” and executes it as code, handing the attacker remote code execution with the permissions of the web server itself.

The results are a worst-case scenario for targeted sites. The vulnerability is exploitable remotely, requiring no privileges, no user interaction and no special skills. A successful attack gives the attacker full control over the site.

Double-extension bypasses are an old trick, but keep working. That’s because plugin developers keep writing their own ad hoc validation instead of relying on hardened, shared upload-handling libraries.

With unauthenticated remote code execution and a CVSS score of 9.8, this bug is a prime target for mass scanning. Patchstack’s State of WordPress Security in 2026 report found that highly exploitable vulnerabilities like this one are often weaponized within hours of disclosure — the weighted median time to first mass exploitation across the WordPress ecosystem was just five hours in 2025.

Site owners should not wait for signs of compromise before updating.

Author

  • Tom Spring

    Tom Spring is a cybersecurity journalist covering identity, AI, cloud security and enterprise risk. He is the founder of Security Point Break and former Senior Editorial Director at CyberRisk Alliance, where he led coverage for SC Media, MSSP Alert and ChannelE2E.

    An award-winning reporter, his work has been recognized by the Society of Professional Journalists, ASBPE and the Jesse H. Neal Awards. He focuses on cutting through cybersecurity hype to deliver clear, grounded reporting for security and business leaders.

Total
0
Shares

Leave a Reply

Previous Article
Illustration of a downcast, crying cartoon cat-octopus character beside bold black text reading "GitLost"

GitHub AI Agent Bug Let Attackers Leak Private Code

Related Posts

Discover more from Security Point Break

Subscribe now to keep reading and get access to the full archive.

Continue reading