vulnerability
WordPress Plugin: blocksy-companion: CVE-2025-12846: Unrestricted Upload of File with Dangerous Type
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Nov 10, 2025 | Nov 11, 2025 | May 4, 2026 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Nov 10, 2025
Added
Nov 11, 2025
Modified
May 4, 2026
Description
The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Solution
blocksy-companion-plugin-cve-2025-12846
References
- https://www.cve.org/CVERecord?id=CVE-2025-12846
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8615422-5db7-495d-9956-7d6f658f42bf?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-84359
- CVE-2025-12846
- https://attackerkb.com/topics/CVE-2025-12846
- CWE-434
- EUVD-EUVD-2025-84359
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.