Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.7.0.
AnalysisAI
Nexter Blocks WordPress plugin versions through 4.7.0 expose sensitive system information to unauthenticated remote attackers via an information disclosure vulnerability, allowing retrieval of embedded sensitive data without authentication or user interaction. The CVSS score of 5.3 reflects moderate confidentiality impact with low attack complexity, though the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), which occurs when a system fails to restrict access to sensitive information from being exposed to unauthorized parties. In the context of the Nexter Blocks WordPress plugin (a block editor extension for Elementor-like page building), the vulnerability likely involves inadequately protected API endpoints, database queries, or data serialization that exposes system metadata, plugin configuration, or other sensitive data accessible over the network. The attack vector is network-based (AV:N) with low complexity (AC:L) and no privilege escalation required (PR:N), indicating the vulnerability can be triggered by unauthenticated HTTP requests without special preconditions.
RemediationAI
Update Nexter Blocks to a version released after 4.7.0; consult the Patchstack advisory for the exact patched version number. If an immediate update is unavailable, implement network-level controls to restrict unauthenticated access to WordPress plugin endpoints, and audit recent access logs to determine whether sensitive data has been retrieved. Disable the Nexter Blocks plugin temporarily if the plugin vendor has not released a patch and the WordPress site contains high-sensitivity data.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20178
GHSA-w962-xqhv-v77r