Your WordPress Plugin Is a Loaded Gun: The CVE-2026-58480 File Upload Flaw Explained
Two vulnerabilities published in the last 24 hours deserve your attention today. One is a near-perfect severity score against one of the most common website platforms on the planet. The other is sitting inside Microsoft’s own survey tooling. Neither requires the attacker to be logged in.
Let’s go through them.
CVE-2026-58480: The WordPress Plugin With a 9.8 Score and No Door Lock
Blocksy Companion Pro is a popular WordPress plugin used by thousands of small business websites to manage fonts, advanced reviews, and design customisation. Before version 2.1.47, it contains a vulnerability that allows anyone on the internet to upload an executable PHP file to your web server. No username. No password. No prior access.
The CVSS score is 9.8 out of 10. That number reflects two things: the ease of exploitation (trivial), and the impact if successful (complete server compromise).
The technical mechanism is worth understanding, because it illustrates a failure pattern that repeats across dozens of vulnerabilities every year. The plugin’s save_attachments function, exposed through the Advanced Reviews feature, checks uploaded filenames for font extensions using PHP’s strpos() function. The strpos() check looks for whether the string .woff2 appears anywhere in the filename. It is not checking that the filename ends with .woff2. It is checking for a substring match.
So a filename of shell.woff2.php passes the check. The validation sees .woff2 and waves it through. The web server then sees .php and executes it.
An attacker uploads the file. The web server runs it. Your business website is now executing an attacker’s instructions.
What this means in practice: The attacker gains remote code execution on your hosting environment. Depending on server configuration, this can mean reading customer data, planting malware that infects site visitors, using your server to attack other systems, or full takeover of the hosting account.
The patch is available. Version 2.1.47 fixes the validation logic. If you are running Blocksy Companion Pro, you need to update it now, not at your next scheduled maintenance window.
CVE-2026-47646: Microsoft Dynamics 365 Customer Voice and Spoofing Over the Network
The second vulnerability published in the last 24 hours affects Microsoft Dynamics 365 Customer Voice, scoring 9.3 on the CVSS scale. It is a cross-site scripting flaw (XSS) that allows an unauthenticated attacker to perform spoofing attacks over a network.
Dynamics 365 Customer Voice is the survey and feedback platform. Small businesses use it to collect customer satisfaction data, post-purchase feedback, and event registrations. It is often embedded directly into business websites or sent as links in post-sale emails.
A spoofing vulnerability of this type means an attacker can craft malicious content that appears to originate from your legitimate survey infrastructure. The practical attack surface is significant: a customer receives what looks like your standard feedback survey, interacts with it, and in doing so exposes credentials, session data, or is redirected to a credential-harvesting page.
Microsoft has been notified. Watch for a patch through Microsoft Update. If you use Dynamics 365 Customer Voice and embed it externally, monitor communications from Microsoft closely.
The Pattern Behind This Week’s Alerts
These two vulnerabilities do not exist in isolation. This week, CISA added four flaws to its Known Exploited Vulnerabilities (KEV) catalogue, confirming active exploitation in the wild. Two of those are Joomla page builder plugin flaws, CVE-2026-48908 and CVE-2026-56290, each rated at the maximum CVSS score of 10.0. Unauthenticated file upload. Remote code execution. Identical mechanism to the Blocksy flaw above.
Joomla powers just over one percent of all websites globally. That sounds small. Divide that by the total number of websites on the internet and it represents millions of targets. CISA does not add items to the KEV catalogue speculatively. Active exploitation is confirmed.
The pattern is consistent: CMS plugins with inadequate file upload validation are being systematically targeted. This is not sophisticated nation-state tradecraft. This is opportunistic scanning for known-vulnerable plugin versions, followed by automated exploitation. The tooling required to do this is freely available and not technically demanding.
Your business website is not too small to appear in that scan.
Why Your MSP’s Answer to “Is It Patched?” Matters
The majority of small businesses in the UK have their websites managed by either an MSP, a web development agency, or a freelancer. Many of those relationships operate on a retainer that was defined years ago and has not been renegotiated since.
The uncomfortable question is this: does your web provider have a defined process for monitoring plugin vulnerabilities and applying patches within a specified timeframe? Not a vague commitment to “keep things up to date”. A defined service level. A documented process. Evidence that it is being executed.
If the answer is uncertain, that uncertainty has a cost. CVE-2026-58480 was published on 8 July 2026. Automated scanners are indexing vulnerable installations now. Every day without a patch is a day the door is open.
Ask your provider today. Ask specifically about Blocksy Companion Pro and whether it has been updated to version 2.1.47. If they cannot confirm within a working day, that is meaningful information about the quality of the service you are receiving.
How to Turn This Into a Competitive Advantage
For businesses that handle customer data through their website, demonstrating active patch management is increasingly a procurement differentiator. Supply chain security questionnaires from larger clients now routinely ask about third-party software update processes.
Being able to evidence that you identified CVE-2026-58480 on the day of publication, confirmed patch status with your provider within 24 hours, and have a documented process for doing so consistently, is not just good security. It is a documented, auditable answer to a question your next enterprise client is going to ask.
Cyber Essentials certification requires that software is kept up to date, including third-party plugins. If you hold or are pursuing certification, your plugin patch process is in scope. The KEV catalogue provides a useful independent reference for demonstrating that your patch prioritisation is evidence-based rather than arbitrary.
Making the Business Case
Three arguments for budget and board-level attention:
The cost of remediation after a breach dwarfs the cost of patching before one. A compromised website hosting environment typically requires forensic investigation, hosting provider involvement, customer notification if data was accessed, and potential ICO reporting under GDPR. The patch is free. The breach response is not.
Your website is your most publicly accessible attack surface. Unlike internal systems, your website is designed to be reachable by anyone. Unpatched plugins are the lowest-effort entry point for attackers specifically because the surface is exposed by design.
CISA’s KEV catalogue documents real-world exploitation. The Joomla plugin flaws added this week have confirmed active exploitation. The Blocksy vulnerability follows an identical mechanism. Regulators and insurers are increasingly expecting organisations to demonstrate awareness of and response to known-exploited vulnerabilities.
What to Do Before the End of Today
-
Check your Blocksy Companion Pro version. Log into your WordPress admin panel, navigate to Plugins, and confirm the version number. If it is below 2.1.47, update it immediately.
-
Audit all active plugins against current published versions. The WordPress admin panel shows available updates. Every outstanding plugin update is a potential exposure. Work through the list.
-
If someone else manages your website, ask them in writing. Send a specific message today asking for confirmation that Blocksy Companion Pro has been updated to 2.1.47 and that plugin update processes are current. Document the response.
-
If you use Dynamics 365 Customer Voice, monitor for the patch. Ensure automatic updates are enabled in your Microsoft 365 tenant, and check for communications from Microsoft regarding CVE-2026-47646.
-
Review how file uploads are handled on any web forms you operate. This week’s theme is inadequate file upload validation. If your website accepts file uploads from users, ask your developer when that validation logic was last reviewed.
Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share it with someone who would find it useful. If this brief saved someone a difficult conversation with their hosting provider, that is the point.