Security Alert Summary
The Greenshift – animation and page builder blocks plugin for WordPress contains a privilege-check bypass that allows authenticated users with low privileges (Subscriber-level and above) to access global plugin settings. The issue is caused by a missing capability check in a validation function, and can expose stored AI API keys and other global configuration values.
CVE Details
- CVE ID: CVE-2026-1927
- Affected plugin / component: Greenshift – animation and page builder blocks plugin for WordPress
- Affected versions: All versions up to, and including, 12.5.7
- Published: Feb 5, 2026, 2:16:04 PM (UTC)
- Last modified: Feb 5, 2026, 2:57:20 PM (UTC)
- CVSS v3.1: Base Score 4.3 — MEDIUM; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Authentication / privileges / user interaction: Requires an authenticated user with low privileges (PR:L — e.g., Subscriber-level and above); no user interaction required (UI:N)
- Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
- Weakness (CWE): CWE-862 (Missing Authorization)
Technical Details
The vulnerability exists because the plugin’s greenshift_app_pass_validation() function lacks a capability check, allowing authenticated users with low privileges to invoke logic that returns global plugin settings. As described in the CVE entry, this missing authorization check in the validation function permits retrieval of stored configuration values, including AI API keys stored by the plugin.
No other functions, endpoints, or remediations are specified in the CVE entry. The issue affects all versions up to and including 12.5.7.
How This Could Impact Your Website
Consider a typical small-to-medium WordPress site with multiple accounts: a site owner, a content editor, and an external contributor or contractor who has Subscriber or Contributor access. Because the flaw allows any authenticated user with low privileges to read global plugin settings, an external contributor or compromised low-privilege account could obtain stored configuration values such as AI API keys.
Practical consequences may include exposure of stored API keys or other sensitive configuration data. Depending on what is stored in global settings, this could also expose contact information or integration endpoints that increase the risk of targeted phishing or social engineering against staff or contractors. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (the CVE does not specify a fixed version).
- Review and reduce unnecessary user roles and capabilities, especially for contributors and subscribers.
- Enforce strong passwords and enable two-factor authentication for editor- and administrator-level accounts.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and logs for unusual access patterns or unexpected configuration access.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
