The Greenshift – animation and page builder blocks plugin for WordPress has a missing capability check in the greenshift_app_pass_validation() function. This flaw allows any authenticated user with Subscriber privileges or higher to call the function and read or modify global plugin settings. The attacker can harvest stored AI API keys, an important credential that could be used to access external services, and inject arbitrary JavaScript through the custom_css field, leading to stored cross‑site scripting. The weakness is a missing authorization (CWE‑862) and results in both data disclosure and potential XSS attacks.

Affected systems are WordPress installations running the Greenshift – animation and page builder blocks plugin from any version up to and including 12.6. The official remediation notes that a partial fix appears in 12.6, so any instance still running 12.5 or earlier remains fully vulnerable. Versions beyond 12.6 that include the complete patch are considered safe. Administrators should verify the installed plugin version and determine whether the latest available release contains the full fix.

With a CVSS score of 5.4 and an EPSS score of less than 1 %, the vulnerability has medium severity and a very low estimated exploitation probability. It is not listed in the CISA KEV catalog, meaning no confirmed public exploits are in the CISA database yet. The attack vector requires a valid authenticated session and the subscriber role, so the opportunity to exploit depends on having such credentials. Once authenticated, the attacker can request plugin settings to extract AI keys or post crafted CSS that the plugin accepts, resulting in stored XSS that will execute whenever a page with the CSS is rendered.