CVE-2024-6155 in Greenshift Plugin
Summary
by MITRE • 01/09/2025
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshift_download_file_localy function, along with no SSRF protection and sanitization on uploaded SVG files. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application that can also be leveraged to download malicious SVG files containing Cross-Site Scripting payloads to the server. On Cloud-based servers, attackers could retrieve the instance metadata. The issue was partially patched in version 8.9.9 and fully patched in version 9.0.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/14/2025
The CVE-2024-6155 vulnerability affects the Greenshift WordPress plugin, specifically targeting versions up to and including 9.0.0. This security flaw represents a critical combination of authentication bypass and server-side request forgery risks that significantly compromise the plugin's security posture. The vulnerability stems from insufficient access control mechanisms within the greenshift_download_file_localy function, which fails to properly validate user capabilities before executing sensitive operations. Attackers with Subscriber-level privileges or higher can exploit this weakness to perform unauthorized actions that would normally require elevated permissions, creating a dangerous escalation path within the WordPress environment.
The technical implementation of this vulnerability involves multiple interconnected security failures that together create a potent attack vector. The missing capability check in the greenshift_download_file_localy function represents a fundamental flaw in the plugin's access control design, allowing unauthorized users to execute administrative operations. Additionally, the absence of proper server-side request forgery protections means that attackers can force the web application to make requests to arbitrary internal or external endpoints, potentially exposing sensitive infrastructure. The lack of sanitization for uploaded SVG files creates an additional attack surface where malicious scripts can be embedded within otherwise benign file formats, enabling persistent cross-site scripting attacks that can compromise user sessions and data.
The operational impact of CVE-2024-6155 extends beyond simple privilege escalation, creating opportunities for attackers to harvest sensitive information and establish persistent footholds within affected systems. When exploited on cloud-based servers, attackers can leverage the SSRF capabilities to access instance metadata, potentially obtaining credentials, configuration details, and other sensitive information that could be used for further attacks or lateral movement. The stored XSS vulnerability through SVG file uploads allows attackers to inject malicious scripts that execute in the context of other users' browsers, enabling session hijacking, data theft, and other client-side attacks. This combination of server-side and client-side vulnerabilities creates a comprehensive attack scenario that can persist across multiple user sessions and potentially compromise the entire WordPress installation.
Security practitioners should understand this vulnerability in the context of established threat models and mitigation frameworks. The flaw aligns with CWE-863 (Incorrect Authorization) and CWE-94 (Improper Control of Generation of Code) categories, representing both authorization bypass and code execution vulnerabilities. From an ATT&CK perspective, this vulnerability maps to techniques including T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), and T1059 (Command and Scripting Interpreter), as attackers can leverage compromised accounts to execute malicious code and establish persistence. The patching process demonstrates the importance of proper capability validation and input sanitization, with version 8.9.9 providing partial protection and 9.0.1 offering complete remediation through proper access controls and security hardening measures. Organizations should prioritize immediate patching of affected installations and implement additional monitoring to detect potential exploitation attempts, particularly focusing on unusual file upload patterns and outbound network connections from WordPress servers.