CVE-2026-58480 is a critical unrestricted file upload vulnerability in the Blocksy Companion Pro plugin for WordPress affecting versions before 2.1.47. The flaw is exposed through the Advanced Reviews feature in the save_attachments function and is caused by improper file extension validation in the Custom Fonts extension. Specifically, the code uses a flawed strpos() substring check to determine whether an uploaded filename contains an allowed extension. An attacker can bypass this validation by supplying a double-extension filename such as shell.woff2.php: the presence of the allowed substring .woff2 causes validation to succeed, while the trailing .php extension can still be interpreted and executed by the web server. Because the vulnerable upload path is reachable without authentication, a remote attacker can upload a malicious PHP payload and then invoke it over HTTP to achieve remote code execution.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical unrestricted file upload vulnerability in the Blocksy Companion Pro WordPress plugin that allows unauthenticated remote code execution via a double-extension file upload bypass in the save_attachments function used by the Advanced Reviews feature.
An unauthenticated arbitrary file upload vulnerability in the Blocksy Companion Pro WordPress plugin before version 2.1.47 that can lead to remote code execution by bypassing extension validation using double-extension filenames.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.