{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2593", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-16T16:48:44.399Z", "datePublished": "2026-03-05T21:24:06.799Z", "dateUpdated": "2026-04-08T16:54:27.325Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:27.325Z"}, "affected": [{"vendor": "wpsoul", "product": "Greenshift \u2013 animation and page builder blocks", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "12.8.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Greenshift \u2013 animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Greenshift \u2013 animation and page builder blocks <= 12.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57b7b171-cd25-4bcd-aa75-3ccbfbb1452a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/init.php#L2110"}, {"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/init.php#L2138"}, {"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/blockrender/element/block.php#L660"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-02-07T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-16T17:04:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-05T08:57:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:37:59.518456Z", "id": "CVE-2026-2593", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:38:15.270Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2593", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:37:59.518456Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:38:10.854Z"}}], "cna": {"title": "Greenshift \u2013 animation and page builder blocks <= 12.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpsoul", "product": "Greenshift \u2013 animation and page builder blocks", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "12.8.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-07T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-16T17:04:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-05T08:57:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57b7b171-cd25-4bcd-aa75-3ccbfbb1452a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/init.php#L2110"}, {"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/init.php#L2138"}, {"url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/blockrender/element/block.php#L660"}], "descriptions": [{"lang": "en", "value": "The Greenshift \u2013 animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:27.325Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2593", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:27.325Z", "dateReserved": "2026-02-16T16:48:44.399Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-05T21:24:06.799Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Greenshift \u2013 animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Greenshift \u2013 bloques de animaci\u00f3n y constructor de p\u00e1ginas para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del valor de metadatos de publicaci\u00f3n '_gspb_post_css' y el atributo de bloque 'dynamicAttributes' en todas las versiones hasta e incluyendo la 12.8.5 debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2593", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-05T22:16:25.030", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/blockrender/element/block.php#L660"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/init.php#L2110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.3/init.php#L2138"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57b7b171-cd25-4bcd-aa75-3ccbfbb1452a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.8.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Greenshift \u2013 animation and page builder blocks", "source": "cna", "vendor": "wpsoul"}, "product": "greenshift_\u2013_animation_and_page_builder_blocks", "vendor": "wpsoul"}], "analysis": {"en": {"generated_at": "2026-04-15T19:54:25.205031+00:00", "value": {"mitigation_remediation": ["Update the Greenshift \u2013 animation and page builder blocks plugin to the latest release that addresses the stored XSS vulnerability.", "Remove or clean any existing custom CSS or dynamic attribute data that may contain untrusted input.", "Verify that all user-supplied content in the plugin is properly validated and escaped before rendering to prevent future injection issues."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Greenshift \u2013 animation and page builder blocks plugin at version 12.8.5 or earlier are vulnerable. Any site that has installed the plugin up to 12.8.5 and grants contributor\u2011level access to users can exploit this weakness.", "description_and_impact": "The vulnerability enables authenticated WordPress users with Contributor permissions or higher to persist malicious JavaScript in the _gspb_post_css post meta field or the dynamicAttributes block attribute. Because the plugin never sanitizes this input and never escapes it when rendering, the script is stored and later executed in browsers that view the affected page, creating a stored cross\u2011site scripting flaw. The description does not mention any additional consequences beyond executing arbitrary scripts for page visitors.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated account with Contributor or higher permissions; an attacker must therefore compromise legitimate credentials or otherwise obtain sufficient access. When such access is achieved, the attacker can inject malicious scripts that will run for any visitor to the modified page. The description does not explicitly describe further impacts such as credential theft or defacement, so those conclusions are not inferred."}}}}, "created": "2026-03-06T15:00:48.144997+00:00", "updated": "2026-04-15T20:00:06.625362+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpsoul", "wpsoul$PRODUCT$greenshift_\u2013_animation_and_page_builder_blocks"]}