Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-58480

Gravedad CVSS v4.0:
CRÍTICA
Tipo:
CWE-434 Subida sin restricciones de ficheros de tipos peligrosos
Fecha de publicación:
08/07/2026
Última modificación:
08/07/2026

Descripción

*** Pendiente de traducción *** Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.