CVE-2025-3616
📋 TL;DR
The Greenshift WordPress plugin versions 11.4 to 11.4.5 contain a vulnerability that allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. The vulnerability was partially patched in version 11.4.5 and fully fixed in 11.4.6 with proper capability checks.
💻 Affected Systems
- Greenshift – animation and page builder blocks WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers achieve remote code execution, gain full control of the WordPress server, and potentially compromise the entire hosting environment.
Likely Case
Attackers upload malicious PHP files, execute arbitrary code, deface websites, install backdoors, or steal sensitive data.
If Mitigated
With proper file upload restrictions and web application firewalls, attackers may only upload harmless files or be blocked entirely.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once credentials are obtained. CVSS 8.8 indicates high exploitability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.4.6
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3276168/greenshift-animation-and-page-builder-blocks/trunk/init.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Greenshift – animation and page builder blocks'. 4. Click 'Update Now' if available, or manually update to version 11.4.6 or later. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Greenshift plugin until patched
wp plugin deactivate greenshift-animation-and-page-builder-blocks
Restrict file uploads via .htaccess
linuxBlock PHP file execution in upload directories
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Subscriber role from all users or restrict file upload capabilities
- Implement web application firewall rules to block malicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Greenshift plugin version. If version is between 11.4 and 11.4.5 inclusive, the system is vulnerable.Check Version:
wp plugin get greenshift-animation-and-page-builder-blocks --field=versionVerify Fix Applied:
Confirm plugin version is 11.4.6 or higher. Test file upload functionality with Subscriber account to ensure proper restrictions.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/greenshift/ directory
- POST requests to /wp-json/greenshift/v1/proxy with file upload parameters
- Execution of unexpected PHP files in upload directories
Network Indicators:
- HTTP POST requests containing file uploads to WordPress REST API endpoints
- Unusual outbound connections from WordPress server after file uploads
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/greenshift/v1/proxy" OR file_upload="true")🔗 References
- https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/init.php#L3340
- https://plugins.trac.wordpress.org/changeset/3270279/greenshift-animation-and-page-builder-blocks/trunk/init.php
- https://plugins.trac.wordpress.org/changeset/3273212/greenshift-animation-and-page-builder-blocks/trunk/init.php
- https://plugins.trac.wordpress.org/changeset/3276168/greenshift-animation-and-page-builder-blocks/trunk/init.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0db4671e-1989-44a4-babe-ed699c7f3a52?source=cve
