CVE-2026-4895 MEDIUM

CVE-2026-4895: Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute

Vendor Wpsoul

Product Greenshift – animation and page builder blocks

Weakness CWE-79 · XSS

Published April 11, 2026

Last update April 13, 2026

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspb_greenShift_block_script_assets() function. The function uses str_replace() to insert 'fetchpriority="high"' before 'src=' attributes when processing greenshift-blocks/image blocks with the disablelazy attribute enabled. Because this replacement operates on the entire HTML string without parsing, contributors can inject the string 'src=' into HTML attribute values (such as class attributes). When the str_replace executes, the double quotes in the replacement string break out of the attribute context, allowing injection of malicious HTML attributes like onfocus with JavaScript payloads. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Explanation of Vulnerability in Simple Terms

02Summary

Greenshift contains a cross-site scripting (XSS) vulnerability in its animation and page builder blocks. An authenticated user with low privileges can inject malicious scripts that execute in other users' browsers, including site administrators. The vulnerability affects all versions up to 12.8.9. Site owners should update to a version newer than 12.8.9 as soon as available.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in other users' browsers, potentially stealing session tokens or admin credentials.

Potential impact on your site

04Site Impact

Authenticated attackers can compromise admin accounts and take control of your site through stored XSS in page builder content.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account (e.g., contributor or editor role).

Key dates

06Disclosure timeline

April 11, 2026 CVE published

April 13, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4895 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-4895

CWE CWE-79

CVSS 6.4 / MEDIUM

Affected versions