Description
The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Arbitrary File Upload leading to potential Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability exists because Blocksy Companion fails to properly validate uploaded file types, specifically allowing SVG uploads that contain a double file extension. This flaw lets an authenticated user with author or higher privileges upload any file to the site’s server. Once stored, non‑SVG payloads could be executed, resulting in remote code execution.

Affected Systems

The affected product is the Blocksy Companion WordPress plugin, versions up to and including 2.1.19.

Risk and Exploitability

The CVSS score of 8.8 classifies this as high severity, yet the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires valid author+ credentials and relies on the double extension bypass to sidestep file type checks, enabling attackers to place arbitrary files on the server.

Generated by OpenCVE AI on April 21, 2026 at 01:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blocksy Companion to version 2.1.20 or later.
  • Avoid using author+ accounts for site administration and restrict upload capabilities for such roles.
  • Configure WordPress or the web server to enforce strict MIME type validation, rejecting non‑SVG uploads and disallowing executable file types in upload directories.

Generated by OpenCVE AI on April 21, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress
Vendors & Products Creativethemes
Creativethemes blocksy Companion
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Blocksy Companion <= 2.1.19 - Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Creativethemes Blocksy Companion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:57.002Z

Reserved: 2025-11-06T20:53:02.971Z

Link: CVE-2025-12846

cve-icon Vulnrichment

Updated: 2025-11-14T15:22:53.784Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T11:15:35.060

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses