Executive Summary

The Greenshift – animation and page builder blocks plugin for WordPress has an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 12.8.3. This vulnerability arises because the AJAX handler `gspb_el_reusable_load()` accepts a `post_id` parameter and renders the content of any `wp_block` post without verifying if the current user has permission to read that post or checking the post's status.

Additionally, the security nonce used to protect this AJAX handler is exposed to unauthenticated users on any public page that uses the `[wp_reusable_render]` shortcode with `ajax="1"`. This combination allows unauthenticated attackers to retrieve the rendered HTML content of private, draft, or password-protected reusable blocks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthenticated attackers to access the rendered content of private, draft, or password-protected reusable blocks within the Greenshift plugin. As a result, sensitive or unpublished content intended to be restricted could be exposed publicly.

Since the attacker does not need to be authenticated, this can lead to unauthorized disclosure of confidential information, potentially harming the website's privacy and security.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Greenshift WordPress plugin's AJAX handler `gspb_el_reusable_load()` accepting an arbitrary `post_id` parameter without proper authorization checks. Detection can focus on monitoring AJAX requests to this handler that include the `post_id` parameter, especially those originating from unauthenticated users.

You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to identify requests to the AJAX endpoint related to reusable blocks, particularly those with unusual or unauthorized `post_id` values.

Suggested commands include searching your web server access logs for suspicious AJAX calls:

• Using grep on Apache or Nginx logs to find AJAX requests to the vulnerable handler, for example: `grep 'admin-ajax.php?action=gspb_el_reusable_load' /var/log/apache2/access.log`
• Look for requests with `post_id` parameters that correspond to private, draft, or password-protected reusable blocks.
• Use network monitoring tools or intrusion detection systems to alert on unauthenticated requests to this AJAX action.

Since the nonce is exposed on public pages using the `[wp_reusable_render]` shortcode with `ajax="1"`, monitoring for unusual or repeated AJAX calls with this nonce from unauthenticated sources can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the Greenshift plugin to a version that enforces proper authorization and post status validation in the `gspb_el_reusable_load()` AJAX handler.'}, {'type': 'paragraph', 'content': 'According to Resource 1, the plugin update introduces checks to prevent serving block content if the associated post is not published or is password protected, returning JSON errors in such cases. This update also improves security by excluding sensitive API keys from backups.'}, {'type': 'paragraph', 'content': 'Therefore, the primary step is to upgrade the Greenshift – animation and page builder blocks plugin to version 12.8.4 or later, where these security fixes are applied.'}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the AJAX handler via web server rules or firewall to prevent unauthenticated access.'}, {'type': 'paragraph', 'content': 'Additionally, review and remove any publicly exposed shortcodes like `[wp_reusable_render ajax="1"]` that expose the nonce to unauthenticated users.'}] [1]

Useful 0 Not Useful 0