Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.
| Vendor | Product | Versions |
|---|---|---|
| creative themes | blocksy companion | 0 |
Updated vendor to 'creative mes', product to 'blocksy companion pro', severity to 'CRITICAL', and marked the vulnerability as actively exploited.
Initial creation