CVE-2026-4895

Name of the Vulnerable Software and Affected Versions The GreenShift - Animation and Page Builder Blocks plugin for WordPress versions up to and including 12.8.9

Description The GreenShift - Animation and Page Builder Blocks plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping within the gspb greenShift block script assets() function. The function utilizes str replace() to insert 'fetchpriority="high"' before 'src=' attributes when handling greenshift-blocks/image blocks with the disablelazy attribute enabled. This replacement operates on the entire HTML string without parsing, allowing contributors to inject the string 'src=' into HTML attribute values, such as class attributes. The execution of str replace() breaks out of the attribute context due to the double quotes in the replacement string, enabling the injection of malicious HTML attributes like onfocus with JavaScript payloads. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page.

Recommendations For versions up to and including 12.8.9, ensure all input data is properly sanitized and output is correctly escaped to prevent the injection of malicious scripts. As a temporary workaround, consider disabling the greenshift-blocks/image block or the disablelazy attribute until a patch is available.