CVE-2024-6155
📋 TL;DR
This vulnerability in the Greenshift WordPress plugin allows authenticated users with Subscriber-level access or higher to perform Server-Side Request Forgery (SSRF) attacks and upload malicious SVG files containing Cross-Site Scripting (XSS) payloads. Attackers can make arbitrary web requests from the vulnerable server and store malicious content that could affect other users. All WordPress sites using Greenshift plugin versions up to 9.0.0 are affected.
💻 Affected Systems
- Greenshift – animation and page builder blocks WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via SSRF to internal services, data exfiltration from cloud metadata services, persistent XSS affecting all site visitors leading to credential theft or malware distribution.
Likely Case
Attackers upload malicious SVG files containing XSS payloads that execute in visitors' browsers, potentially stealing session cookies or performing actions as authenticated users.
If Mitigated
Limited impact with proper network segmentation preventing SSRF to internal services and content security policies blocking XSS execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward with publicly available technical details. SSRF and XSS payloads are well-documented attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.1
Vendor Advisory: https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/9.0.1/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Greenshift plugin and click 'Update Now'. 4. Verify version shows 9.0.1 or higher.
🔧 Temporary Workarounds
Disable vulnerable function via filter
allAdd WordPress filter to disable the vulnerable greenshift_download_file_localy function
Add to theme's functions.php or custom plugin: add_filter('greenshift_download_file_localy', '__return_false');
Restrict SVG uploads
allBlock SVG file uploads through WordPress media library
Add to theme's functions.php: add_filter('upload_mimes', function($mimes) { unset($mimes['svg']); return $mimes; });
🧯 If You Can't Patch
- Remove Subscriber role access or implement strict user role management
- Implement web application firewall rules to block SSRF patterns and SVG file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Greenshift version. If version is 9.0.0 or lower, system is vulnerable.Check Version:
wp plugin list --name=greenshift --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify Greenshift plugin shows version 9.0.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=greenshift_download_file_localy
- SVG file uploads from Subscriber-level users
- Outbound requests to internal IP addresses or metadata services
Network Indicators:
- HTTP requests from WordPress server to internal services (169.254.169.254 for AWS metadata, etc.)
- Unusual outbound traffic patterns from web server
SIEM Query:
source="wordpress.log" AND ("greenshift_download_file_localy" OR ".svg" AND user_role="subscriber")