We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

GreenShift – Animation and Page Builder Blocks Plugin Vulnerability (CVE-2026-4895)

Nick Paliughi
On this page

Security Alert Summary

A stored cross-site scripting (XSS) vulnerability was identified in the GreenShift – Animation and Page Builder Blocks plugin for WordPress. The issue arises from insufficient input sanitization and output escaping in a function that manipulates block HTML, allowing authenticated users with contributor-level access or higher to inject scripts that execute when a page is viewed.

CVE Details

  • CVE ID: CVE-2026-4895
  • Affected component: GreenShift – Animation and Page Builder Blocks plugin for WordPress
  • Affected versions: versions up to, and including, 12.8.9
  • Published: April 11, 2026 at 2:16:02 AM UTC
  • Last modified: April 11, 2026 at 2:16:02 AM UTC
  • CVSS v3.1 base score: 6.4 (MEDIUM)
  • CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges: Requires authenticated user with privileges rated as Low (contributor-level or higher)
  • User interaction: None required
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)

Technical Details

The vulnerability exists in the plugin function gspb_greenShift_block_script_assets(). That function attempts to insert the string fetchpriority="high" before src= attributes when processing greenshift-blocks/image blocks with the disablelazy attribute enabled. The implementation uses str_replace() on the entire HTML string rather than parsing the HTML or properly escaping attributes.

Because the replacement runs across the whole HTML fragment, a contributor can place the literal substring src= inside other attribute values (for example, inside a class attribute). When str_replace() runs, the inserted replacement contains double quotes that break out of the original attribute context and allow injection of new attributes such as onfocus with JavaScript payloads. The result is stored XSS: authenticated users with contributor-level permissions can inject scripts into pages that will run when the page is viewed.

The description and code references indicate the problem is insufficient input sanitization and output escaping combined with HTML string manipulation via str_replace(). No additional functions, endpoints, or exploit details beyond the function name and the block type were provided in the source data.

How This Could Impact Your Website

On a multi-user WordPress site, a contributor or other low-privileged user could craft content that abuses this replacement behavior to inject JavaScript into page content. When other users—including site editors, administrators, or public visitors—view the affected page, that script can run in the context of the site. Practical consequences may include targeted client-side attacks such as session token theft, display of fraudulent content or forms, or client-side actions performed in the context of the viewing user. The confidentiality and integrity impacts are rated as Low by CVSS, so effects are generally limited to what can be achieved via injected scripts in the browser rather than direct takeover of server-side systems.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can edit content.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and content for unusual behavior or unexpected script injections.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
YITH WooCommerce Wishlist Plugin Vulnerability (CVE-2026-4432)
Next Post
UsersWP Plugin Vulnerability (CVE-2026-4979)