Description
The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspb_greenShift_block_script_assets() function. The function uses str_replace() to insert 'fetchpriority="high"' before 'src=' attributes when processing greenshift-blocks/image blocks with the disablelazy attribute enabled. Because this replacement operates on the entire HTML string without parsing, contributors can inject the string 'src=' into HTML attribute values (such as class attributes). When the str_replace executes, the double quotes in the replacement string break out of the attribute context, allowing injection of malicious HTML attributes like onfocus with JavaScript payloads. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) allowing arbitrary script execution
Action: Immediate Patch
AI Analysis

Impact

The GreenShift plugin for WordPress is affected by a stored XSS flaw. The vulnerability originates in the gspb_greenShift_block_script_assets() function, which inserts a string before 'src=' attributes without parsing or escaping the HTML. An authenticated user with contributor‑level or higher permissions can embed the text 'src=' into attribute values, such as a class attribute. When the replacement runs, the double quotes inside the injected string split the attribute context, enabling the attacker to add malicious attributes including JavaScript event handlers. The injected code is stored with the block and will run whenever the page is viewed, enabling hijacking of sessions, credential theft, or phishing. This weakness conforms to CWE‑79 and gives the attacker the ability to execute arbitrary scripts on any visitor’s browser.

Affected Systems

Any WordPress site that has the Greenshift – Animation and Page Builder Blocks plugin installed in version 12.8.9 or earlier is vulnerable. Users who have contributor or higher capabilities can add or modify blocks, making them an attack vector. The flaw affects all sites still running these legacy plugin versions.

Risk and Exploitability

The CVSS base score of 6.4 reflects a medium severity vulnerability. No EPSS score or public exploit is currently documented, and the issue is not listed in CISA’s KEV catalog. Nonetheless, exploitation only requires authenticated access to the WordPress administration area and the ability to edit blocks. By inserting a malicious block or altering an existing one, an attacker can persist the script in stored content. The risk to site visitors is that any who load the affected page will execute the injected JavaScript, potentially compromising user data or the site’s integrity.

Generated by OpenCVE AI on April 11, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Greenshift plugin (12.9.0 or newer) to remediate the sanitization issue.
  • If an upgrade cannot be performed, remove or avoid using the disablelazy attribute on image blocks until the plugin is patched.
  • Limit contributor or higher user roles to the minimum necessary, or revoke editing capabilities on pages containing the plugin’s blocks.
  • Audit block content regularly and monitor for unexpected JavaScript execution or unauthorized changes to ensure the vulnerability has not been exploited.

Generated by OpenCVE AI on April 11, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpsoul
Wpsoul greenshift – Animation And Page Builder Blocks
Vendors & Products Wordpress
Wordpress wordpress
Wpsoul
Wpsoul greenshift – Animation And Page Builder Blocks

Sat, 11 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Description The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspb_greenShift_block_script_assets() function. The function uses str_replace() to insert 'fetchpriority="high"' before 'src=' attributes when processing greenshift-blocks/image blocks with the disablelazy attribute enabled. Because this replacement operates on the entire HTML string without parsing, contributors can inject the string 'src=' into HTML attribute values (such as class attributes). When the str_replace executes, the double quotes in the replacement string break out of the attribute context, allowing injection of malicious HTML attributes like onfocus with JavaScript payloads. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpsoul Greenshift – Animation And Page Builder Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T15:15:08.348Z

Reserved: 2026-03-26T14:07:20.492Z

Link: CVE-2026-4895

cve-icon Vulnrichment

Updated: 2026-04-13T15:11:36.057Z

cve-icon NVD

Status : Deferred

Published: 2026-04-11T02:16:02.270

Modified: 2026-04-24T18:00:32.033

Link: CVE-2026-4895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:43Z

Weaknesses