Skip to main content

Nexter Blocks CVE-2026-39516

| EUVDEUVD-2026-20178 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-04-08 Patchstack GHSA-w962-xqhv-v77r
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:22 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20178
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.7.0.

AnalysisAI

Nexter Blocks WordPress plugin versions through 4.7.0 expose sensitive system information to unauthenticated remote attackers via an information disclosure vulnerability, allowing retrieval of embedded sensitive data without authentication or user interaction. The CVSS score of 5.3 reflects moderate confidentiality impact with low attack complexity, though the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), which occurs when a system fails to restrict access to sensitive information from being exposed to unauthorized parties. In the context of the Nexter Blocks WordPress plugin (a block editor extension for Elementor-like page building), the vulnerability likely involves inadequately protected API endpoints, database queries, or data serialization that exposes system metadata, plugin configuration, or other sensitive data accessible over the network. The attack vector is network-based (AV:N) with low complexity (AC:L) and no privilege escalation required (PR:N), indicating the vulnerability can be triggered by unauthenticated HTTP requests without special preconditions.

RemediationAI

Update Nexter Blocks to a version released after 4.7.0; consult the Patchstack advisory for the exact patched version number. If an immediate update is unavailable, implement network-level controls to restrict unauthenticated access to WordPress plugin endpoints, and audit recent access logs to determine whether sensitive data has been retrieved. Disable the Nexter Blocks plugin temporarily if the plugin vendor has not released a patch and the WordPress site contains high-sensitivity data.

Share

CVE-2026-39516 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy