CVE-2025-3616

HIGH

Greenshift Animation and Page Builder Blocks 11.4-11.4.5 - Authenticated Arbitrary File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-3616. PoCs published by b4d-53ct0r.

AI-analyzed exploit summary This is a Metasploit module for CVE-2025-3616, an arbitrary file upload vulnerability in the Greenshift WordPress plugin (versions 11.4 through 11.4.5). It allows authenticated users (Subscriber+) to bypass MIME type validation by spoofing GIF magic bytes, leading to RCE.

Description

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in 11.4.5, but a capability check was added in 11.4.6 to properly prevent unauthorized limited file uploads.

Exploits (1)

nomisec WORKING POC

by b4d-53ct0r · poc

https://github.com/b4d-53ct0r/CVE-2025-3616

View Code ZIP pw:eip

This is a Metasploit module for CVE-2025-3616, an arbitrary file upload vulnerability in the Greenshift WordPress plugin (versions 11.4 through 11.4.5). It allows authenticated users (Subscriber+) to bypass MIME type validation by spoofing GIF magic bytes, leading to RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Greenshift WordPress Plugin 11.4 - 11.4.5

Auth required

Prerequisites: WordPress installation with vulnerable Greenshift plugin · Valid WordPress credentials (Subscriber+) or open registration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/init.php#L3340

Patch

https://plugins.trac.wordpress.org/changeset/3270279/greenshift-animation-and-page-builder-blocks/trunk/init.php

Patch

https://plugins.trac.wordpress.org/changeset/3273212/greenshift-animation-and-page-builder-blocks/trunk/init.php

Patch

https://plugins.trac.wordpress.org/changeset/3276168/greenshift-animation-and-page-builder-blocks/trunk/init.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/0db4671e-1989-44a4-babe-ed699c7f3a52?source=cve

Scores

CVSS v3 8.8

EPSS 0.0201

EPSS Percentile 78.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

greenshiftwp/greenshift_-_animation_and_page_builder_blocks 11.4 - 11.4.6

Published Apr 22, 2025

Tracked Since Feb 18, 2026