Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1822+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)
CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-15158

CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)

A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to upload malicious PHP files by exploiting a flawed font file type filter, enabling remote code execution.

Dylan H.

Security Team

July 10, 2026
5 min read

Affected Products

  • WordPress Blocksy Companion Plugin 2.1.46 and earlier
  • WordPress sites with Custom Fonts extension enabled

Executive Summary

CVE-2026-15158 is a critical arbitrary file upload vulnerability affecting the Blocksy Companion plugin for WordPress, present in all versions up to and including 2.1.46. The flaw resides in the Custom Fonts extension's save_attachments function, which registers a wp_check_filetype_and_ext filter that incorrectly approves any file whose name contains .woff2 or .woff — regardless of the file's actual content or extension.

CVSS Score: 9.8 (Critical)

An unauthenticated attacker can exploit this flaw to upload a PHP webshell disguised as a font file (e.g., shell.php.woff2), which is then stored on the server and executable via a direct HTTP request — resulting in full remote code execution.


Vulnerability Overview

Root Cause

The Blocksy Companion plugin's Custom Fonts extension registers a WordPress filter hook (wp_check_filetype_and_ext) to permit font file uploads. The filter's logic is flawed: it checks whether the filename contains the string .woff2 or .woff, rather than verifying that the file extension ends with an allowed value.

This means a file named malicious.php.woff2 satisfies the filter check and is uploaded successfully, but the server interprets and executes it as PHP.

Attack Vector

1. Attacker crafts a PHP webshell file named shell.php.woff2
2. Attacker sends POST request to WordPress AJAX endpoint (wp-admin/admin-ajax.php)
3. Blocksy's save_attachments handler processes the upload
4. wp_check_filetype_and_ext filter sees ".woff2" in filename — approves the file
5. shell.php.woff2 is stored in the WordPress uploads directory
6. Attacker sends GET request to the uploaded file URL
7. PHP interpreter executes the shell, granting full server access

Authentication Required?

No — exploitation may be possible without authentication depending on how the AJAX action is registered. The NVD listing confirms this affects all versions up to 2.1.46 with no authentication requirement noted.


Technical Details

Affected Component

ComponentDetail
PluginBlocksy Companion
ExtensionCustom Fonts
Vulnerable Functionsave_attachments
Vulnerable Hookwp_check_filetype_and_ext
Affected VersionsAll versions ≤ 2.1.46
Fixed Version2.1.47+ (verify with plugin changelog)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality / Integrity / Availability: High / High / High

Example Exploit Filename Pattern

shell.php.woff2
cmd.php.woff
backdoor.phtml.woff2

Any filename containing .woff2 or .woff will bypass the filter, regardless of what precedes it.


Identifying Exposure

Check if Blocksy Companion is Installed

# On the WordPress server
ls wp-content/plugins/blocksy-companion/
 
# Check version
grep -i "version" wp-content/plugins/blocksy-companion/blocksy-companion.php | head -5

Check if Custom Fonts Extension is Active

The Custom Fonts extension must be enabled within the plugin for this attack path to exist. Check the Blocksy Companion settings in the WordPress admin panel under Blocksy > Extensions > Custom Fonts.

Look for Suspicious Uploaded Files

# Search for PHP files in uploads directory
find wp-content/uploads/ -name "*.php*" -o -name "*.phtml*" | grep -i woff
 
# Check recent uploads
find wp-content/uploads/ -newer wp-content/plugins/blocksy-companion/blocksy-companion.php -name "*.woff*"

Remediation

Option 1: Update the Plugin (Recommended)

Update Blocksy Companion to version 2.1.47 or later via the WordPress admin panel:

Dashboard → Plugins → Updates → Update Blocksy Companion

Or via WP-CLI:

wp plugin update blocksy-companion

Option 2: Disable Custom Fonts Extension

If an immediate update is not possible, disable the Custom Fonts extension within Blocksy Companion:

Blocksy → Extensions → Custom Fonts → Disable

This removes the vulnerable filter hook until the plugin is patched.

Option 3: Restrict AJAX Access (Temporary)

Add a WAF rule or server-side restriction to block unauthenticated POST requests to admin-ajax.php for the specific action used by the Custom Fonts extension.


Detection

Scan Uploads for Webshells

# Search for PHP code in woff files
grep -rl "<?php\|eval(\|base64_decode\|system(\|exec(" wp-content/uploads/ 2>/dev/null
 
# Find double-extension files in uploads
find wp-content/uploads/ -name "*.php.*" -o -name "*.phtml.*"

SIEM / Log Query

index=webserver sourcetype=access_combined
| where match(uri_path, "admin-ajax\.php") AND match(request_method, "POST")
| where match(user_agent, ".*") AND status=200
| stats count by src_ip, uri_path, _time

Wordfence / Security Plugin

Users running Wordfence or similar WordPress security plugins should ensure file upload scanning is enabled and set to block double-extension files.


Impact

If exploited, an attacker gains the ability to:

  • Execute arbitrary PHP code with the privileges of the web server user
  • Read, modify, or delete files accessible to the web process
  • Access WordPress database credentials from wp-config.php
  • Pivot to other services on the server
  • Establish persistent backdoor access
  • Exfiltrate customer data, posts, and plugin configuration

References

  • NVD — CVE-2026-15158
  • WordPress Plugin Directory — Blocksy Companion
  • OWASP — Unrestricted File Upload

Related Reading

  • CVE-2026-5955: BiEticaret SQL Injection — Full Database Compromise
  • CVE-2026-2342: ValeApp Stored XSS — Session Hijacking Risk
  • Apache Struts Critical RCE via OGNL Injection Returns
#WordPress#File Upload#RCE#Plugin Vulnerability#Critical#CVE

Related Articles

CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

3 min read

CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

5 min read

CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...

6 min read
Back to all Security Alerts