A critical vulnerability in the Greenshift WordPress plugin (CVE-2025-3616) allows authenticated attackers to upload arbitrary files, potentially leading to remote code execution. The flaw affects versions 11.4 through 11.4.5 of the animation and page builder plugin, with over 50,000 WordPress sites estimated to be vulnerable before patching.
Executive Summary
The vulnerability stems from insufficient file type validation in the gspb_make_proxy_api_request() function, enabling attackers with Subscriber-level access to upload malicious files. The issue was reported through the Wordfence Bug Bounty Program on April 14, 2025, with patches released in version 11.4.6 on April 17, 2025. The CVSS 8.8 (High) rating reflects the significant risk of server compromise.
- Affected Versions: 11.4 to 11.4.5
- Patch Version: 11.4.6
- Attack Vector: Authenticated (Subscriber+)
- Impact: Arbitrary file upload → RCE
- Endpoint:
/wp-json/mapsvg/v1/svgfile
Technical Analysis
The vulnerability allows bypassing WordPress security controls through the plugin’s file upload functionality. Attackers can exploit the gspb_make_proxy_api_request() function to upload files without proper MIME-type validation. This enables the upload of executable files like PHP webshells by spoofing file headers, as demonstrated in similar exploit chains available on GitHub1.
The primary security failures include missing capability checks and insufficient server-side validation of uploaded file contents. Attackers with minimal privileges (Subscriber role) can abuse this to gain persistent access through uploaded backdoors. The vulnerability was sufficiently mitigated in version 11.4.5, but version 11.4.6 added proper capability checks to prevent unauthorized uploads entirely.
Detection and Mitigation
Organizations should immediately update to Greenshift version 11.4.6. For systems where immediate patching isn’t possible, temporary mitigation includes:
- Restrict Subscriber role permissions
- Monitor
/wp-content/uploads/for suspicious files - Implement web application firewall rules to block malicious uploads
- Review server logs for POST requests to the vulnerable endpoint
Qualys has added detection capability with ID 732452 for vulnerability scanning. Security teams should prioritize reviewing affected systems, as the vulnerability has been publicly disclosed since April 21, 2025, increasing the likelihood of exploitation attempts.
Security Implications
This vulnerability presents significant risk due to the combination of low privilege requirements and high potential impact. The ability to upload arbitrary files can lead to complete system compromise, particularly when combined with other WordPress privilege escalation techniques. Security professionals should examine all affected systems for indicators of compromise, particularly looking for:
| Indicator | Location |
|---|---|
| Unexpected PHP files | /wp-content/uploads/ |
| Modified timestamps | Greenshift plugin files |
| Suspicious POST requests | Web server logs |
The Wordfence advisory2 provides additional detection guidance, including specific log patterns to identify exploitation attempts. Organizations should also review related vulnerabilities such as CVE-2025-26884, an XSS flaw in earlier Greenshift versions.
Conclusion
CVE-2025-3616 represents a serious threat to WordPress sites using the Greenshift plugin, particularly given the large install base and ease of exploitation. The availability of public proof-of-concept code increases the urgency for patching. Security teams should prioritize this vulnerability due to its high CVSS score and potential for complete system compromise.
The rapid response from the Greenshift development team in releasing patches demonstrates the effectiveness of coordinated vulnerability disclosure programs. However, the window between public disclosure and widespread exploitation continues to shrink, emphasizing the need for prompt patch deployment and thorough post-patch verification.
References
- [1] “CVE-2025-32682 Proof of Concept,” GitHub. [Online]. Available: https://github.com/Nxploited/CVE-2025-32682
- [2] “50,000+ WordPress Sites Affected by Arbitrary File Upload Vulnerability in Greenshift WordPress Plugin,” Wordfence. [Online]. Available: https://www.wordfence.com/blog/2025/04/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-greenshift-wordpress-plugin/
- [3] “CVE-2025-3616 Detail,” NVD. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-3616
- [4] “CVE-2025-3616 Timeline,” Feedly. [Online]. Available: https://feedly.com/cve/CVE-2025-3616
- [5] “XSS in Greenshift <10.9," WPScan. [Online]. Available: https://wpscan.com/vulnerability/1bfc8cd5-7a29-41ee-b555-be57c364e0fb/