Ddos 
A critical vulnerability affecting the popular WordPress plugin Greenshift – animation and page builder blocks has come to light, potentially placing over 50,000 active websites at risk of full compromise. Tracked as CVE-2025-3616 and carrying a CVSS score of 8.8, this flaw allows authenticated users — even those with mere subscriber-level access — to upload arbitrary files, including malicious PHP scripts, and execute them remotely.
Discovered by researcher mikemyers through the Wordfence Bug Bounty Program, this vulnerability resides in the gspb_make_proxy_api_request() function, introduced in version 11.4 of the plugin. While this function added file upload capabilities for legitimate media types, a critical oversight left it open to abuse.
“Although the function includes a MIME type check, it is not sufficient and unfortunately does not include any file type or extension checks in the vulnerable version,” noted Wordfence.
Due to the lack of stringent file extension validation, attackers can bypass the limited MIME checks by spoofing headers, and upload .php webshells into a publicly accessible directory, allowing them to execute arbitrary commands on the server.
Here’s what made this vulnerability dangerous:
- The plugin accepted uploads from authenticated users without proper capability checks.
- Only a simple MIME type validation was enforced, which is trivial to spoof.
- Uploaded files were saved into
/wp-content/uploads/api_upload/, which is usually web-accessible. - Attackers could then access and execute the malicious PHP files directly through the browser.
This creates a straightforward path to Remote Code Execution (RCE), enabling full site takeovers.
If you are running Greenshift, it is imperative to update to version 11.4.6 or later. Earlier versions — 11.4 through 11.4.5 — are vulnerable and should be considered compromised if unusual behavior is detected.
Additionally, administrators should audit their upload directories for unknown .php files and monitor for suspicious user activity, especially from low-privilege accounts.
Related Posts:
- WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
- PHP Everywhere WordPress Plugin Remote Code Execution Alert
Donate