Greenshift – animation and page builder blocks < 12.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2026-2593 | Plugin Vulnerabilities

Description

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

greenshift-animation-and-page-builder-blocks

Fixed in 12.8.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/57b7b171-cd25-4bcd-aa75-3ccbfbb1452a

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777)

Verified

No

WPVDB ID

d8dd049c-e706-45de-9bd8-e794fd294041

Timeline

Publicly Published

2026-03-05 (about 2 months ago)

Added

2026-03-05 (about 2 months ago)

Last Updated

2026-03-05 (about 2 months ago)

Other

Published

Title

Published

2026-01-27

Title

Slimstat Analytics < 5.3.3 - Reflected Cross-Site Scripting

Published

2024-06-26

Title

DethemeKit For Elementor < 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget

Published

2024-03-14

Title

HUSKY – Products Filter for WooCommerce Professional < 1.3.5.2 - Contributor+ Stored Cross-Site Scripting via Shortcode

Published

2026-05-04

Title

Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute

Published

2024-03-01

Title

Calculated Fields Form Professional < 5.1.57 - Unauthenticated Stored Cross-Site Scripting