50,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Greenshift WordPress Plugin

by

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  

On April 14th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Greenshift, a WordPress plugin with more than 50,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.

Props to mikemyers who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was reported to our program just five days after it was introduced. This researcher earned a bounty of $1,229.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Malicious File Upload protection.

We provided full disclosure details to the GreenShift team on April 14, 2025. The developer released the first patch the next day, April 15, 2025, and the second patch on April 17, 2025. We would like to commend the GreenShift team for their prompt response and timely patch.

This vulnerability is an incredible example of the positive impact the Wordfence Bug Bounty Program has on the WordPress ecosystem. This vulnerability was introduced on April 10th, 2025, and just four days later it was reported to our Bug Bounty Program, triaged, sent to the developer, and patched the next day, creating a narrow opportunity for attackers to discover and exploit this vulnerability before site owners were protected. Extra special kudos to the researcher mikemyers for discovering this vulnerability so quickly and to GreenShift for remediating the vulnerability so quickly.

We urge users to update their sites with the latest patched version of Greenshift, version 11.4.6 at the time of this publication, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Greenshift 11.4 – 11.4.5 – Authenticated (Subscriber+) Arbitrary File Upload
Affected Plugin: Greenshift – animation and page builder blocks
Plugin Slug: greenshift-animation-and-page-builder-blocks
Affected Versions: 11.4 – 11.4.5
CVE ID: CVE-2025-3616
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: mikemyers
Fully Patched Version: 11.4.6
Bounty Award: $1,229.00

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in 11.4.5, but a capability check was added in 11.4.6 to properly prevent unauthorized limited file uploads.

Technical Analysis

Greenshift is a WordPress plugin that contains many elements for the WordPress block editor, with several customizable settings and animations.

Examining the code reveals that the plugin uses the gspb_make_proxy_api_request() function to handle multiple API requests.

In version 11.4 of the plugin, the vendors introduced file upload functionality, among other things which were previously present. Its operation is contained in the following code snippet:

} else if($type === 'media_upload'){
	// Verify if file was uploaded
	if (empty($_FILES['file'])) {
		return new WP_Error('no_file', 'No file was uploaded', array('status' => 400));
	}

	// Get WordPress upload directory
	$upload_dir = wp_upload_dir();
	$custom_dir = $upload_dir['basedir'] . '/api_upload';

	// Create custom upload directory if it doesn't exist
	if (!file_exists($custom_dir)) {
		wp_mkdir_p($custom_dir);

		// Create .htaccess to prevent directory listing but allow file access
		$htaccess_content = "Options -Indexesn";
		file_put_contents($custom_dir . '/.htaccess', $htaccess_content);
	}

	// Get file details
	$file = $_FILES['file'];
	$filename = sanitize_file_name($file['name']);
	$tmp_name = $file['tmp_name'];

	// Enhanced security checks
	$allowed_types = array(
		'image/jpeg',
		'image/png',
		'image/gif',
		'image/webp',
		'image/heic',
		'image/heif',
		'application/pdf',
		'application/text',
	);

	// Verify MIME type
	$finfo = finfo_open(FILEINFO_MIME_TYPE);
	$mime_type = finfo_file($finfo, $tmp_name);
	finfo_close($finfo);

	if (!in_array($mime_type, $allowed_types)) {
		return new WP_Error('invalid_file_type', 'File type not allowed', array('status' => 400));
	}

	// Check file size (limit to 10MB)
	$max_size = 10 * 1024 * 1024;
	if ($file['size'] > $max_size) {
		return new WP_Error('file_too_large', 'File size exceeds limit of 10MB', array('status' => 400));
	}

	// Generate unique filename with timestamp
	$file_ext = pathinfo($filename, PATHINFO_EXTENSION);
	$new_filename = sprintf(
		'%s_%s.%s',
		uniqid(),
		time(),
		$file_ext
	);
	$destination = $custom_dir . '/' . $new_filename;

	// Move file to destination
	if (!move_uploaded_file($tmp_name, $destination)) {

Although the function includes a MIME type check, it is not sufficient and unfortunately does not include any file type or extension checks in the vulnerable version. A file’s MIME type can very easily be spoofed to look like an image file. This means that not only image, pdf and text files can be uploaded, but it is also possible to upload files with a .php extension. The file is uploaded to the WordPress uploads folder, which is publicly accessible by default. This makes it possible for attackers, with authenticated access such as subscribers, to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

It’s also worth mentioning that some blocks expose the REST nonce, which could make it possible for attackers to exploit this vulnerability unauthenticated when those types of blocks are in use on a vulnerable site.

Disclosure Timeline

April 14, 2025 – We received the submission for the Arbitrary File Upload vulnerability in Greenshift via the Wordfence Bug Bounty Program.
April 14, 2025 – We validated the report and confirmed the proof-of-concept exploit.
April 14, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
April 15, 2025 – The partially patched version of the plugin, 11.4.5, was released.
April 17, 2025 – The fully patched version of the plugin, 11.4.6, was released.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the Greenshift plugin affecting versions 11.4 through 11.4.5. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to execute malicious code on the server, and in some cases unauthenticated threat actors. The vulnerability has been fully addressed in version 11.4.6 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Greenshift as soon as possible considering the critical nature of this vulnerability.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 50,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Greenshift WordPress Plugin appeared first on Wordfence.

Leave a Comment