Description
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the `gspb_el_reusable_load()` AJAX handler. The handler accepts an arbitrary `post_id` parameter and renders the content of any `wp_block` post without checking `current_user_can('read_post', $post_id)` or verifying the post status. Combined with the nonce being exposed to unauthenticated users on any public page using the `[wp_reusable_render]` shortcode with `ajax="1"`, this makes it possible for unauthenticated attackers to retrieve the rendered HTML content of private, draft, or password-protected reusable blocks.
Published: 2026-03-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of private reusable block content
Action: Apply Patch
AI Analysis

Impact

The Greenshift – animation and page builder blocks plugin for WordPress contains an insecure direct object reference flaw in the gspb_el_reusable_load AJAX handler. The handler accepts an arbitrary post_id parameter and renders the content of any wp_block post without verifying that the current user has permission to read the post or that the post is public. Consequently, unauthenticated attackers can retrieve the rendered HTML of private, draft, or password‑protected reusable blocks, exposing confidential content. This vulnerability is classified as CWE‑862 (Missing Authorization).

Affected Systems

All installations of the Greenshift – animation and page builder blocks plugin for WordPress up to and including version 12.8.3 are affected. Users running these or earlier versions of the plugin on any WordPress site can be compromised.

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity, while the EPSS score is below 1%, implying a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote unauthenticated request to the gspb_el_reusable_load AJAX endpoint, where the attacker can supply any post_id and obtain the rendered block content. Because the nonce is exposed on publicly accessible pages that use the wp_reusable_render shortcode with ajax="1", the attack does not require user authentication or elevated privileges, making this an exploitable unauthorized disclosure scenario.

Generated by OpenCVE AI on April 15, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Greenshift plugin to a version that includes the missing authorization check, such as 12.8.4 or later.
  • If an immediate update is not possible, restrict access to the gspb_el_reusable_load AJAX endpoint by ensuring only authenticated users can call it, for example by adding a permission check before processing the request.
  • Remove or sanitize the wp_reusable_render shortcode with ajax="1" from all publicly accessible pages to prevent pose exposure of the nonce and the unauthenticated AJAX entry point.

Generated by OpenCVE AI on April 15, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpsoul
Wpsoul greenshift – Animation And Page Builder Blocks
Vendors & Products Wordpress
Wordpress wordpress
Wpsoul
Wpsoul greenshift – Animation And Page Builder Blocks

Fri, 06 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the `gspb_el_reusable_load()` AJAX handler. The handler accepts an arbitrary `post_id` parameter and renders the content of any `wp_block` post without checking `current_user_can('read_post', $post_id)` or verifying the post status. Combined with the nonce being exposed to unauthenticated users on any public page using the `[wp_reusable_render]` shortcode with `ajax="1"`, this makes it possible for unauthenticated attackers to retrieve the rendered HTML content of private, draft, or password-protected reusable blocks.
Title Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load'
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpsoul Greenshift – Animation And Page Builder Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:48.813Z

Reserved: 2026-02-11T20:40:34.454Z

Link: CVE-2026-2371

cve-icon Vulnrichment

Updated: 2026-03-09T19:12:46.038Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T00:16:13.457

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-2371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses