CVE-2026-1927

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-1927
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys and modify plugin settings, including the injection of arbitrary web scripts via the 'custom_css' value (stored XSS). NOTE: This vulnerability was partially patched in version 12.6.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset/3441535/greenshift-animation-and-page-builder-blocks/trunk/init.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2128db-ca9f-4211-8bc5-01a2cc1cba64?source=cve
Configurations

No configuration.

History

03 Mar 2026, 18:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.3 		v2 : unknown
v3 : 5.4
Summary
  • (es) El plugin Greenshift – bloques de animación y constructor de páginas para WordPress es vulnerable a acceso no autorizado a datos debido a una comprobación de capacidad faltante en la función greenshift_app_pass_validation() en todas las versiones hasta la 12.5.7, ambas inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, recuperen configuraciones globales del plugin, incluyendo claves API de IA almacenadas.
Summary (en) The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys. (en) The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys and modify plugin settings, including the injection of arbitrary web scripts via the 'custom_css' value (stored XSS). NOTE: This vulnerability was partially patched in version 12.6.

05 Feb 2026, 14:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-05 14:16

Updated : 2026-03-03 18:16

NVD link : CVE-2026-1927

Mitre link : CVE-2026-1927

CVE.ORG link : CVE-2026-1927

JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization