CVE-2026-2371

Name of the Vulnerable Software and Affected Versions Greenshift – animation and page builder blocks plugin for WordPress versions up to and including 12.8.3

Description The software is susceptible to an Insecure Direct Object Reference issue. This is a result of a lack of authorization and post status validation within the gspb el reusable load() AJAX handler. The handler accepts a post id parameter and renders the content of any wp block post without verifying user permissions to read the post or checking its status. The nonce is exposed to unauthenticated users on any public page utilizing the [wp reusable render] shortcode with ajax="1", allowing unauthenticated attackers to retrieve rendered HTML content from private, draft, or password-protected reusable blocks.

Recommendations Versions prior to 12.8.4 should be updated.