Skip to main content

Nexa Blocks CVE-2026-6394

| EUVDEUVD-2026-31033 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-20 Wordfence GHSA-88c3-g468-4jgg
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 02:35 vuln.today

DescriptionCVE.org

The Nexa Blocks - Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due to the import_demo() function accepting a user-supplied URL in the demo_json_file POST parameter and passing it directly to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nexa_blocks_nonce required for the AJAX action is publicly exposed in the HTML source of any frontend page where the plugin is active via wp_localize_script on the enqueue_block_assets hook, effectively making the nonce available to all visitors and bypassing any intended authentication barrier. This makes it possible for unauthenticated attackers to make server-side HTTP requests to arbitrary internal or external destinations, potentially exposing internal services, cloud metadata endpoints such as the AWS instance metadata service, localhost services, and other resources not intended to be publicly accessible. A secondary SSRF vector also exists whereby image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second wp_remote_get() call, allowing chained exploitation through a crafted JSON payload.

AnalysisAI

Server-side request forgery in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) exposes internal network infrastructure to unauthenticated remote attackers by combining an unvalidated URL passthrough with a publicly leaked authentication nonce. The plugin's import_demo() function at template.php:242 forwards an attacker-supplied URL directly to WordPress's wp_remote_get() with no scheme restriction, host allowlist, or RFC-1918 blocklist, and the nexa_blocks_nonce that gates this AJAX endpoint is serialized into every public-facing page's HTML via wp_localize_script, nullifying the intended access control entirely. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the effective authentication bypass and trivial exploitation path elevate practical risk substantially above what the CVSS 5.4 score alone communicates.

Technical ContextAI

The affected product is the Nexa Blocks WordPress plugin by wpdive (CPE: cpe:2.3:a:wpdive:nexa_blocks_-_gutenberg_blocks,_page_builder_for_gutenberg_editor_&_fse:*:*:*:*:*:*:*:*). The root cause is CWE-918 (Server-Side Request Forgery), manifesting across two distinct code locations. First, the import_demo() AJAX handler at inc/template/template.php lines 236-242 accepts the demo_json_file POST parameter and passes its value verbatim to WordPress's wp_remote_get() function, which performs an outbound HTTP request from the server with no input sanitization or destination filtering. Second, at inc/classes/enqueue-assets.php line 84, the wp_localize_script() call bound to the enqueue_block_assets hook embeds the nexa_blocks_nonce directly into the JavaScript globals of every page where the plugin is active, converting what would otherwise be a subscriber-or-higher action gate into an effectively unauthenticated one. A secondary SSRF chaining vector exists: the server parses the JSON body fetched from the attacker-supplied URL for image fields and issues additional wp_remote_get() calls to those image URLs, allowing an attacker-controlled server to redirect the second-hop request to any internal destination.

RemediationAI

No vendor-released patch has been identified at time of analysis - vulnerable code remains present in both the 1.1.1 release tag and the current trunk branch per WordPress plugin repository source references, and no fix version was cited in any available reference. The primary recommended action is to deactivate and remove the Nexa Blocks plugin until a patched version is confirmed and released; monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b4bb3067-7953-466d-a469-8a101450f133 for patch availability. If removal is not immediately feasible, implement outbound firewall rules on the WordPress server to block HTTP requests to RFC-1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) and the link-local metadata range (169.254.169.254/32); note this may break any legitimate plugin functionality that relies on outbound fetches to internal resources. For AWS-hosted deployments, enforce IMDSv2 by setting the instance metadata hop limit to 1 and requiring session-oriented token acquisition - WordPress's wp_remote_get() issues standard GET requests and cannot complete the IMDSv2 PUT-then-GET flow, effectively blocking the highest-impact credential theft scenario without disabling other plugin functionality.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-6394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy