Primary

Context

Blocksy Companion WordPress Plugin Authenticated Arbitrary File Upload Vulnerability

Vulnerability

Patched

A vulnerability allowing authenticated users with author-level access and above to upload arbitrary files has been identified in the Blocksy Companion plugin for WordPress, affecting all versions through 2.1.19. This issue arises from inadequate validation of file types for SVG uploads, which enables double extension files to circumvent proper sanitization and be accepted as legitimate SVGs. As a result, uploaded files could potentially be used to execute code remotely on the affected server.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, with the potential for remote code execution on the server where the vulnerable WordPress site is hosted.

Remediation

Users are advised to update the Blocksy Companion plugin to version 2.1.20 or a newer patched version.

Added: Nov 11, 2025, 11:19 AM

Updated: Nov 11, 2025, 11:19 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Blocksy Companion WordPress Plugin Authenticated Arbitrary File Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Blocksy Companion

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating