Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The Nexa Blocks - Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due to the import_demo() function accepting a user-supplied URL in the demo_json_file POST parameter and passing it directly to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nexa_blocks_nonce required for the AJAX action is publicly exposed in the HTML source of any frontend page where the plugin is active via wp_localize_script on the enqueue_block_assets hook, effectively making the nonce available to all visitors and bypassing any intended authentication barrier. This makes it possible for unauthenticated attackers to make server-side HTTP requests to arbitrary internal or external destinations, potentially exposing internal services, cloud metadata endpoints such as the AWS instance metadata service, localhost services, and other resources not intended to be publicly accessible. A secondary SSRF vector also exists whereby image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second wp_remote_get() call, allowing chained exploitation through a crafted JSON payload.
AnalysisAI
Server-side request forgery in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) exposes internal network infrastructure to unauthenticated remote attackers by combining an unvalidated URL passthrough with a publicly leaked authentication nonce. The plugin's import_demo() function at template.php:242 forwards an attacker-supplied URL directly to WordPress's wp_remote_get() with no scheme restriction, host allowlist, or RFC-1918 blocklist, and the nexa_blocks_nonce that gates this AJAX endpoint is serialized into every public-facing page's HTML via wp_localize_script, nullifying the intended access control entirely. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the effective authentication bypass and trivial exploitation path elevate practical risk substantially above what the CVSS 5.4 score alone communicates.
Technical ContextAI
The affected product is the Nexa Blocks WordPress plugin by wpdive (CPE: cpe:2.3:a:wpdive:nexa_blocks_-_gutenberg_blocks,_page_builder_for_gutenberg_editor_&_fse:*:*:*:*:*:*:*:*). The root cause is CWE-918 (Server-Side Request Forgery), manifesting across two distinct code locations. First, the import_demo() AJAX handler at inc/template/template.php lines 236-242 accepts the demo_json_file POST parameter and passes its value verbatim to WordPress's wp_remote_get() function, which performs an outbound HTTP request from the server with no input sanitization or destination filtering. Second, at inc/classes/enqueue-assets.php line 84, the wp_localize_script() call bound to the enqueue_block_assets hook embeds the nexa_blocks_nonce directly into the JavaScript globals of every page where the plugin is active, converting what would otherwise be a subscriber-or-higher action gate into an effectively unauthenticated one. A secondary SSRF chaining vector exists: the server parses the JSON body fetched from the attacker-supplied URL for image fields and issues additional wp_remote_get() calls to those image URLs, allowing an attacker-controlled server to redirect the second-hop request to any internal destination.
RemediationAI
No vendor-released patch has been identified at time of analysis - vulnerable code remains present in both the 1.1.1 release tag and the current trunk branch per WordPress plugin repository source references, and no fix version was cited in any available reference. The primary recommended action is to deactivate and remove the Nexa Blocks plugin until a patched version is confirmed and released; monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b4bb3067-7953-466d-a469-8a101450f133 for patch availability. If removal is not immediately feasible, implement outbound firewall rules on the WordPress server to block HTTP requests to RFC-1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) and the link-local metadata range (169.254.169.254/32); note this may break any legitimate plugin functionality that relies on outbound fetches to internal resources. For AWS-hosted deployments, enforce IMDSv2 by setting the instance metadata hop limit to 1 and requiring session-oriented token acquisition - WordPress's wp_remote_get() issues standard GET requests and cannot complete the IMDSv2 PUT-then-GET flow, effectively blocking the highest-impact credential theft scenario without disabling other plugin functionality.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31033
GHSA-88c3-g468-4jgg