Vulnerability Checker: alert on specific plugin or theme version not matching

avanti · February 6, 2026, 1:40am

Hello,

When a plugin or theme version is reported with a vulnerability, the version of the plugin/theme installed in the site is apparently not considered .

For instance, i have Greenshift plugin 12.8.1 installed in a site and get an alert related to Greenshift 12.5.7 in this site.

Maybe this is just the way it works, no version comparision, just the plugin/theme itself if it’s installed in the site?

Thanks for your leads

bojan · February 6, 2026, 3:39pm

Hey @avanti

Welcome to the MainWP Community!

This can happen and it’s usually down to the data coming from the vulnerability provider.

In some cases, a CVE does list the vulnerable versions, but does not specify which version the issue was fixed in. When that “fixed in” information is missing, MainWP can’t reliably determine whether your installed version is safe, even if it’s newer.

To check this properly, can you let us know:

Which vulnerability service you’re using (NVD or WPScan)?
The exact CVE ID that’s being reported for Greenshift?

avanti · February 6, 2026, 4:35pm

Hi @bojan,

Thank you for the details, it makes sense, i didn’t realize the version the vulnerability is fixxed in is necessary to compare if the service is able to.

I’m using the NVD API.

Not sure about the CVE ID for my alert, here’s the details if meaningful:

5 February 2026 15 03 16 02162

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys.

bojan · February 6, 2026, 5:21pm

Thanks, @avanti .

I found the CVE: NVD - CVE-2026-1927

And you can see the full API response that NVD returns for that CVE on this URL: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-1927

And at this time, the NVD does not return information about the version in which this CVE is fixed and that is the reason why our add-on still reports it as vulnerable.

So if it indeed fixed, feel free to Ignore that vulnerability in our add-on.

avanti · February 7, 2026, 2:29am

I see, thanks for the details, i understand a bit better how the Vulnerability Checker / NVD work now.

There’s a security improvement in Greenshift 12.6.0, not sure it’s related to this CVE:

Fix: improved authorization for API endpoints

system · February 9, 2026, 2:29am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.