CVE Alert: CVE-2025-12846 - creativethemeshq - Blocksy Companion

CVE-2025-12846

HIGHNo exploitation known

The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

CVSS v3.1 (8.8)

Vendor

creativethemeshq

Product

Blocksy Companion

Versions

* lte 2.1.19

CWE

CWE-434, CWE-434 Unrestricted Upload of File with Dangerous Type

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-11T11:03:46.642Z

Updated

2025-11-11T11:03:46.642Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f8615422-5db7-495d-9956-7d6f658f42bf?source=cve

https://plugins.trac.wordpress.org/changeset/3391933/blocksy-companion/trunk/framework/features/svg.php

AI Summary Analysis

Risk verdict

High risk of authenticated arbitrary file upload with potential remote code execution; patch promptly and monitor until fixes are deployed.

Why this matters

Authenticated authors can upload malicious SVGs that bypass sanitisation, potentially enabling server compromise, data exfiltration, or site defacement. In typical WordPress deployments, a single vulnerable plugin can serve as a foothold for broader compromise across hosted environments.

Most likely attack path

Attacker requires author-level access (low precondition).
Network-based vector: upload of an SVG that bypasses file-type validation due to double-extension handling, enabling arbitrary file storage on the server.
High impact: if the server processes the uploaded file or the SVG payload triggers code execution, attacker may achieve RCE or pivots within the hosting environment.

Who is most exposed

WordPress sites using Blocksy Companion <= 2.1.19 with author+ roles and enabled file uploads; hosting setups that execute or serve user-uploaded content (including SVGs) are at greatest risk.

Detection ideas

Alerts for SVG uploads with double extensions or non-standard SVG content.
Post-upload writes to web-accessible uploads directories, especially with executable payloads.
Logs showing SVG uploads from author accounts, or anomalous activity immediately after upload.
Unexpected 500/500-series errors linked to upload handling.
Elevated activity by author accounts around upload events.

Mitigation and prioritisation

Apply the Blocksy Companion update to a fixed version (2.1.20+).
Disable or strictly restrict SVG uploads; implement strict MIME/extension validation and remove double extensions.
Enforce least privilege for author+ accounts; review and normalise user roles.
Add input validation and content sanitisation for uploads; consider sandbox execution checks.
Deploy WAF rules and enable focused monitoring on the uploads path; perform staged testing prior to full rollout.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: blocksy-companion, creativethemeshq, CVE, cve-2025-12846, OSINT, threatintel