In a single week of early July, three separate security disclosures landed across the web-hosting stack, and read together they tell one story. A critical flaw in a popular WordPress theme add-on, an unauthenticated file-deletion bug in a long-running file-manager plugin, and a server-side request forgery hole in a web-based FTP client were all published between July 7 and July 9. None share a codebase. All three share a root cause: input validation that was present but done by shortcut, and all three put the hosting provider, not just the site owner, in the blast radius.

The Week’s Three Disclosures

  • Blocksy Companion Pro (CVSS 9.2, critical). An unauthenticated arbitrary file upload leading to remote code execution, disclosed by VulnCheck on July 8. The Custom Fonts extension validated uploads with a strpos() substring check, which an attacker bypasses with a double-extension filename such as shell.woff2.php: the substring satisfies the check while the server executes the file as PHP. Fixed in Blocksy Companion 2.1.47. The base plugin is active on around 300,000 sites; the flaw is in the premium Pro tier (Advanced Reviews, Custom Fonts), so the exposed set is the subset running those paid extensions. Reported by Nguyen Ba Khanh.
  • Frontend File Manager Plugin (CVE-2026-12277, CVSS 8.7, high). Unauthenticated arbitrary file deletion. The plugin deletes a file at a path taken from user input without validating it, so when guest-upload mode is enabled an attacker can delete arbitrary server files, including wp-config.php. Removing that file drops WordPress back into its install routine, which can be turned into a full site takeover. Affects versions through 23.6, which is where it stopped: the plugin was pulled from the WordPress.org directory on May 27, 2026 and remains closed pending review, so WPScan’s July 7 disclosure arrived with no fix available and none expected.
  • Monsta FTP (CVE-2026-60105, CVSS 8.6, high). Server-side request forgery. The isBlockedIP() function failed to catch IPv4 addresses embedded in IPv4-mapped IPv6 notation, so an unauthenticated attacker, using a CSRF token from the public getSystemVars endpoint, can make the fetchRemoteFile action request internal addresses. On cloud servers that reaches the instance metadata endpoint and its credentials. Fixed in Monsta FTP 2.14.5. Monsta FTP, a browser-based FTP client often installed on hosting accounts, had a separate remote-code-execution flaw (CVE-2025-34299) that was exploited in the wild, so it is already on attackers’ radar.

The Common Thread: Validation by Shortcut

In each case the code did check its input. It just checked the wrong way: a substring stood in for a real extension test, a path was trusted without being normalized, a blocklist did not understand one of IPv6’s address formats. These are not missing checks; they are checks a determined input walks straight through, which is why they pass code review and ship. The pattern is the one the industry keeps rediscovering: validation is only as good as its edge cases, and file handling has the most dangerous edges. Uploads, deletions and remote fetches are precisely the operations where a single overlooked case turns into code execution, a wiped configuration, or leaked credentials.

Why It Lands on the Host

For a hosting provider, a customer’s plugin choice becomes the provider’s problem the moment something goes wrong. An RCE like the Blocksy flaw gives an attacker code execution inside a shared environment, where the next question is always whether the compromise stays in one account. The Frontend File Manager bug deletes wp-config.php, which does not just break a site but can hand it over, and the support ticket lands on the host either way. The Monsta FTP SSRF is the sharpest for cloud hosts specifically: reaching the metadata endpoint can leak the credentials of the underlying instance, turning one customer’s outdated FTP tool into a key to the infrastructure beneath it. And when the vendor has already walked away, as with Frontend File Manager, pulled from the directory with the vulnerable version left in place, no upstream fix is coming at all and the host is the only line of defense left. In every case the blast radius is wider than the single vulnerable install, which is exactly why hosts increasingly treat customer-side software as part of their own attack surface.

What Hosts and Admins Should Do

  • Update the fixed components: Blocksy Companion to 2.1.47 or later, Monsta FTP to 2.14.5 or later. Frontend File Manager has been closed on the WordPress.org directory since May, so remove it rather than wait for a patch that is not coming; at minimum, disable guest-upload mode immediately.
  • Lean on virtual patching: vulnerability-mitigation layers of the kind Patchstack and Wordfence ship can block these classes at the edge before customers update, which is the realistic timeline on shared hosting.
  • Lock down cloud metadata: require the hardened metadata service (IMDSv2 with a low hop limit) and restrict outbound egress, so an SSRF cannot trivially read instance credentials.
  • Watch the file paths: uploads, deletions and remote fetches are where these keep surfacing, and monitoring those operations is higher-yield than generic scanning.

None of these three is exotic. They are the ordinary failure modes of file-handling code, disclosed in a single week, and they will not be the last of the year. For hosts, the lesson keeps repeating: the weakest link is rarely the server. It is the validation shortcut in someone else’s code, running on your platform.

About the Data

Severity scores and affected-version ranges are drawn from the NVD records for CVE-2026-12277 and CVE-2026-60105 and from the VulnCheck and WPScan advisories, published July 7 to 9, 2026. The Blocksy Companion Pro flaw is identified here by its VulnCheck advisory, which listed no CVE identifier at the time of writing. The install count is as reported for the base Blocksy Companion plugin and is broader than the Pro subset affected by this flaw. Exploitation status reflects what the advisories state; the actively-exploited Monsta FTP issue cited for context is a separate, earlier CVE (CVE-2025-34299), not CVE-2026-60105.