WordPress Plugin Vulnerabilities

Blocksy Companion < 2.1.20 - Author+ Arbitrary File Upload via SVG Upload Bypass

Description

The plugin is vulnerable to authenticated arbitrary file upload due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
blocksy-companion
Fixed in 2.1.20

References

CVE
CVE-2025-12846
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f8615422-5db7-495d-9956-7d6f658f42bf

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
da1eeeb7-6f61-4f3a-ab51-9ce96977b46d

Timeline

Publicly Published
2025-11-10 (about 6 months ago)
Added
2025-11-11 (about 6 months ago)
Last Updated
2025-11-11 (about 6 months ago)

Other

Published
Title
Published
2024-06-21
Title
InstaWP Connect < 0.1.0.39 - Unauthenticated Arbitrary File Upload
Published
2021-02-10
Title
Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload
Published
2024-05-06
Title
canvasio3D Light <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2026-04-17
Title
WpStream < 4.11.2 - Subscriber+ File Upload
Published
2023-12-27
Title
Rencontre – Dating Site < 3.11 - Unauthenticated Arbitrary File Upload