Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Stored XSS.This issue affects Greenshift: from n/a through <= 11.0.2.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress users of the Greenshift plugin are exposed to a stored Cross‑Site Scripting flaw caused by the plugin’s failure to properly neutralize user‑supplied input before rendering it in a web page. The likely attack vector involves an attacker or compromised user inserting malicious script into input fields that Greenshift stores and subsequently displays, enabling execution of arbitrary JavaScript in the browsers of site visitors. This can lead to session hijacking, credential theft, defacement, or further compromise of the affected WordPress site.

Affected Systems

All installations of the wpsoul Greenshift plugin through version 11.0.2 are affected. Any WordPress site running this plugin, regardless of the WordPress core version, is vulnerable if the plugin has not been patched to 11.0.3 or later.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, reflecting moderate severity, and an EPSS score of less than 1%, indicating a low probability of widespread exploitation at present. It is not listed in the CISA KEV catalog. Exploitability generally requires access to an interface where users can create or edit content via Greenshift, meaning an attacker would likely need a user account with editing privileges. Once an injection succeeds, the impact is confined to individuals who view the affected page, but the threat to attackers is amplified by the remote, script‑based nature of the payload.

Generated by OpenCVE AI on May 1, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Greenshift plugin update to version 11.0.3 or later. This patch addresses the XSS issue by ensuring proper input sanitization.
  • If an immediate update is not possible, disable the Greenshift plugin entirely or restrict its use to trusted administrators only, preventing new data from being stored and displayed.
  • Audit other plugins and themes for similar input handling vulnerabilities and apply available patches or mitigations, such as content security policies, to reduce the risk of other XSS vectors.

Generated by OpenCVE AI on May 1, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8323 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows Stored XSS. This issue affects Greenshift: from n/a through 11.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows Stored XSS. This issue affects Greenshift: from n/a through 11.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Stored XSS.This issue affects Greenshift: from n/a through <= 11.0.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Jun 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpsoul
Wpsoul greenshift
CPEs cpe:2.3:a:wpsoul:greenshift:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpsoul
Wpsoul greenshift

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows Stored XSS. This issue affects Greenshift: from n/a through 11.0.2.
Title WordPress Greenshift plugin <= 11.0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpsoul Greenshift
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.355Z

Reserved: 2025-03-26T09:21:15.799Z

Link: CVE-2025-30873

cve-icon Vulnrichment

Updated: 2025-03-27T13:11:55.207Z

cve-icon NVD

Status : Modified

Published: 2025-03-27T11:15:48.523

Modified: 2026-04-23T15:27:14.173

Link: CVE-2025-30873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:00:06Z

Weaknesses