Vulnerabilities and security researches forgreenshift-animation-and-page-builder-blocks greenshift-animation-and-page-builder-blocks
Direction: descendingApr 15, 2026
Greenshift – animation and page builder blocks # CVE-2026-2371
- CVE, Research URL
- Date
- Mar 07, 2026
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the `gspb_el_reusable_load()` AJAX handler. The handler accepts an arbitrary `post_id` parameter and renders the content of any `wp_block` post without checking `current_user_can('read_post', $post_id)` or verifying the post status. Combined with the nonce being exposed to unauthenticated users on any public page using the `[wp_reusable_render]` shortcode with `ajax="1"`, this makes it possible for unauthenticated attackers to retrieve the rendered HTML content of private, draft, or password-protected reusable blocks.
- Affected versions
-
max 12.8.4.
- Status
-
vulnerable
Greenshift – animation and page builder blocks # CVE-2026-2593
- CVE, Research URL
- Date
- Mar 06, 2026
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 12.8.6.
- Status
-
vulnerable
Greenshift – animation and page builder blocks # CVE-2026-1927
- CVE, Research URL
- Date
- Feb 05, 2026
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys and modify plugin settings, including the injection of arbitrary web scripts via the 'custom_css' value (stored XSS). NOTE: This vulnerability was partially patched in version 12.6.
- Affected versions
-
max 12.6.1.
- Status
-
vulnerable
Greenshift – animation and page builder blocks # CVE-2026-2589
- CVE, Research URL
- Date
- Mar 06, 2026
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 12.8.3 via the automated Settings Backup stored in a publicly accessible file. This makes it possible for unauthenticated attackers to extract sensitive data including the configured OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile API keys.
- Affected versions
-
max 12.8.4.
- Status
-
vulnerable
Apr 14, 2026
Greenshift – animation and page builder blocks # CVE-2026-4895
- CVE, Research URL
- Date
- Apr 11, 2026
- Research Description
- The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspb_greenShift_block_script_assets() function. The function uses str_replace() to insert 'fetchpriority="high"' before 'src=' attributes when processing greenshift-blocks/image blocks with the disablelazy attribute enabled. Because this replacement operates on the entire HTML string without parsing, contributors can inject the string 'src=' into HTML attribute values (such as class attributes). When the str_replace executes, the double quotes in the replacement string break out of the attribute context, allowing injection of malicious HTML attributes like onfocus with JavaScript payloads. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 12.9.0.
- Status
-
vulnerable
Nov 11, 2025
Greenshift – animation and page builder blocks # CVE-2025-11841
- CVE, Research URL
- Date
- Nov 04, 2025
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 12.2.8.
- Status
-
vulnerable
Aug 24, 2025
Greenshift – animation and page builder blocks # CVE-2025-57884
- CVE, Research URL
- Date
- Aug 22, 2025
- Research Description
- Missing Authorization vulnerability in wpsoul Greenshift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Greenshift: from n/a through 12.1.1.
- Affected versions
-
max 12.1.2.
- Status
-
vulnerable
May 07, 2025
Greenshift – animation and page builder blocks # CVE-2022-4974
- CVE, Research URL
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 1.1.6.
- Status
-
vulnerable
Apr 29, 2025
Greenshift – animation and page builder blocks # CVE-2025-3616
- CVE, Research URL
- Date
- Apr 22, 2025
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in 11.4.5, but a capability check was added in 11.4.6 to properly prevent unauthorized limited file uploads.
- Affected versions
-
max 11.4.6.
- Status
-
vulnerable
Apr 03, 2025
Greenshift – animation and page builder blocks # CVE-2025-30873
- CVE, Research URL
- Date
- Mar 27, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows Stored XSS. This issue affects Greenshift: from n/a through 11.0.2.
- Affected versions
-
max 11.1.
- Status
-
vulnerable
Feb 27, 2025
Greenshift – animation and page builder blocks # CVE-2025-26884
- CVE, Research URL
- Date
- Feb 25, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows Stored XSS. This issue affects Greenshift: from n/a through 10.8.
- Affected versions
-
max 10.9.
- Status
-
vulnerable
Jan 10, 2025
Greenshift – animation and page builder blocks # CVE-2024-6155
- CVE, Research URL
- Date
- Jan 09, 2025
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshift_download_file_localy function, along with no SSRF protection and sanitization on uploaded SVG files. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application that can also be leveraged to download malicious SVG files containing Cross-Site Scripting payloads to the server. On Cloud-based servers, attackers could retrieve the instance metadata. The issue was partially patched in version 8.9.9 and fully patched in version 9.0.1.
- Affected versions
-
max 9.0.1.
- Status
-
vulnerable
Dec 12, 2024
Greenshift – animation and page builder blocks # CVE-2024-11181
- CVE, Research URL
- Date
- Dec 12, 2024
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 9.9.9.3 via the 'wp_reusable_render' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
- Affected versions
-
max 9.9.9.4.
- Status
-
vulnerable
Oct 28, 2024
Greenshift – animation and page builder blocks # CVE-2024-50419
- CVE, Research URL
- Date
- Oct 30, 2024
- Research Description
- Incorrect Authorization vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift – animation and page builder blocks: from n/a through 9.7.
- Affected versions
-
max 9.8.
- Status
-
vulnerable
Sep 19, 2024
Greenshift – animation and page builder blocks # CVE-2024-44005
- CVE, Research URL
- Date
- Sep 18, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Stored XSS.This issue affects Greenshift – animation and page builder blocks: from n/a through 9.3.7.
- Affected versions
-
max 9.4.
- Status
-
vulnerable
Jun 21, 2024
Greenshift – animation and page builder blocks # CVE-2024-35765
- CVE, Research URL
- Date
- Jun 19, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Stored XSS.This issue affects Greenshift – animation and page builder blocks: from n/a through 8.8.9.1.
- Affected versions
-
max 8.9.4.
- Status
-
vulnerable
Jun 07, 2024
Greenshift – animation and page builder blocks # cb5648db5073ddd604f4a58da2a251643969c91b
- CVE, Research URL
- Date
- Feb 28, 2022
- Research Description
- Greenshift – animation and page builder blocks [greenshift-animation-and-page-builder-blocks] < 1.1.6 WordPress Greenshift – animation and page builder blocks plugin < 1.1.4 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Greenshift – animation and page builder blocks plugin (versions < 1.1.4).
- Affected versions
-
max 1.1.6.
- Status
-
vulnerable
Greenshift – animation and page builder blocks # CVE-2023-6636
- CVE, Research URL
- Date
- Jan 11, 2024
- Research Description
- The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspb_save_files' function in versions up to, and including, 7.6.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 7.6.3.
- Status
-
vulnerable
Greenshift – animation and page builder blocks # CVE-2022-4653
- CVE, Research URL
- Date
- Jan 16, 2023
- Research Description
- The Greenshift WordPress plugin before 4.8.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
- Affected versions
-
max 4.8.9.
- Status
-
vulnerable
Greenshift – animation and page builder blocks # CVE-2023-22707
- CVE, Research URL
- Date
- Mar 27, 2023
- Research Description
- Auth. (author+) Cross-Site Scripting (XSS) vulnerability in Wpsoul Greenshift – animation and page builder blocks plugin <= 4.9.9 versions.
- Affected versions
-
max 5.0.
- Status
-
vulnerable
Greenshift – animation and page builder blocks # CVE-2023-0378
- CVE, Research URL
- Date
- Feb 21, 2023
- Research Description
- The Greenshift WordPress plugin before 5.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
- Affected versions
-
max 4.8.1.
- Status
-
vulnerable