WordPress Security Bulletin: Greenshift – animation and page builder blocks plugin for WordPress (CVE-2026-2593)

On this page

Security Alert Summary

The Greenshift – animation and page builder blocks plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that can be exploited via post meta and block attributes. Authenticated users with Contributor-level access and above can inject scripts that will execute when an injected page is viewed by site users.


CVE Details

  • CVE ID: CVE-2026-2593
  • Affected plugin / component: Greenshift – animation and page builder blocks plugin for WordPress
  • Affected versions: all versions up to, and including, 12.8.5
  • Published: March 5, 2026 at 10:16:25 PM UTC
  • Last modified: March 5, 2026 at 10:16:25 PM UTC
  • CVSS v3.1 base score: 6.4 (Medium)

    Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires an authenticated user with low privileges (Contributor-level or higher). No user interaction is required for the payload to execute once injected.
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE: CWE-79 (Cross-site Scripting)

Technical Details

This issue is a stored Cross-Site Scripting (XSS) vulnerability caused by insufficient input sanitization and output escaping. The vulnerability can be triggered via the _gspb_post_css post meta value and the dynamicAttributes block attribute. Authenticated users with Contributor-level access and above can supply crafted values to those data fields that are stored by the plugin and later output into pages without proper escaping. When a page containing the injected content is viewed, the malicious script executes in the context of the viewer’s browser, leading to the confidentiality and integrity impacts indicated by the CVSS vector.


How This Could Impact Your Website

Consider a small organization where the site owner delegates content creation to several internal staff members and an external contractor. If one of those users has Contributor-level access and can edit or add content that uses the Greenshift blocks, an attacker who gains access to a Contributor account (or an existing Contributor acting maliciously) could inject JavaScript into a page. When other users—editors, administrators, or regular visitors—view that page, the injected script could run in their browsers. Practical consequences include exposure of session information or user-visible data and an increased risk of targeted phishing or social engineering attacks against staff whose information is accessible from the site.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Contributor-level accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior or unexpected content changes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References