Greenshift Animation and Page Builder Blocks WordPress Plugin Server-Side Request Forgery and Cross-Site Scripting Vulnerability

A vulnerability allowing authenticated (Subscriber+) server-side request forgery (SSRF) and stored cross-site scripting (XSS) has been identified in the Greenshift animation and page builder blocks plugin for WordPress. This issue affects all versions through 9.0.0 and arises from a missing capability check in the 'greenshift_download_file_localy' function, coupled with a lack of SSRF protection and inadequate sanitization of uploaded SVG files. As a result, authenticated attackers with Subscriber-level access or higher can make web requests to arbitrary locations from the web application, potentially downloading malicious SVG files containing XSS payloads to the server. On cloud-based servers, this could also allow retrieval of instance metadata.

Impact

Exploitation of this vulnerability could lead to unauthorized web requests being made from the server, with the potential to download malicious SVG files that could be used to execute cross-site scripting attacks. Additionally, on cloud-based servers, attackers could access sensitive instance metadata.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can upload an SVG file through the WordPress media uploader. The uploaded file can then be processed by the Greenshift plugin, which lacks proper sanitization for SVG files. Once the file is uploaded, the user can trigger the vulnerability by initiating a request that exploits the server-side request forgery aspect, such as by accessing instance metadata on a cloud-based server.

Remediation

Users are advised to update the Greenshift animation and page builder blocks plugin to version 9.0.1 or later.