CVE-2026-2371 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2026-2371?

CVE-2026-2371 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated attackers to retrieve the HTML content of private, draft, or password-protected reusable blocks in WordPress. It affects all WordPress sites using the Greenshift plugin up to version 12.8.3. Attackers can access sensitive content that should be restricted to authorized users.

📋 TL;DR

This vulnerability allows unauthenticated attackers to retrieve the HTML content of private, draft, or password-protected reusable blocks in WordPress. It affects all WordPress sites using the Greenshift plugin up to version 12.8.3. Attackers can access sensitive content that should be restricted to authorized users.

💻 Affected Systems

Products:

Greenshift – animation and page builder blocks WordPress plugin

Versions: All versions up to and including 12.8.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when the plugin is active and the [wp_reusable_render] shortcode with ajax="1" is used on public pages.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive private content (draft posts, confidential information in reusable blocks) is exposed to the public, potentially leading to data leaks, intellectual property theft, or regulatory compliance violations.

🟠

Likely Case

Unauthorized access to draft content, private reusable blocks, or password-protected materials that should not be publicly visible.

🟢

If Mitigated

With proper access controls, only authorized users can view restricted content, limiting exposure to authenticated personnel only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted AJAX requests with arbitrary post_id parameters. The nonce is exposed on public pages using the vulnerable shortcode.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.8.4 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3465111/greenshift-animation-and-page-builder-blocks/trunk/settings.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Greenshift – animation and page builder blocks'. 4. Click 'Update Now' if available. 5. Alternatively, download version 12.8.4+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable vulnerable shortcode

all

Remove or modify any [wp_reusable_render] shortcodes with ajax="1" attribute from public pages

Temporarily disable plugin

all

Deactivate the Greenshift plugin until patched

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious AJAX requests to gspb_el_reusable_load endpoint
Restrict access to WordPress admin areas using IP whitelisting or additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Greenshift version. If version is 12.8.3 or lower, you are vulnerable.

Check Version:

wp plugin list --name='greenshift-animation-and-page-builder-blocks' --field=version

Verify Fix Applied:

After updating, verify plugin version is 12.8.4 or higher. Test that private reusable blocks cannot be accessed via AJAX requests without proper authentication.

📡 Detection & Monitoring

Log Indicators:

Multiple AJAX requests to /wp-admin/admin-ajax.php with action=gspb_el_reusable_load and varying post_id parameters
Unusual access patterns to wp_block post types from unauthenticated IPs

Network Indicators:

HTTP POST requests to admin-ajax.php with 'action=gspb_el_reusable_load' parameter from unauthenticated sources

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "gspb_el_reusable_load" AND NOT user_id=*

📊 Metadata

CVE ID: CVE-2026-2371

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

Published: March 7, 2026

Last Updated: March 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2371, you might also want to check these: