Description
Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks nexa-blocks allows Server Side Request Forgery.This issue affects Nexa Blocks: from n/a through <= 1.1.1.
Published: 2025-06-06
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Nexa Blocks plugin for WordPress contains a Server‑Side Request Forgery (SSRF) flaw in versions up to and including 1.1.1. An attacker can cause the site to make arbitrary HTTP or HTTPS requests to internal or external hosts and ports, potentially exposing sensitive data, bypassing firewall boundaries, or facilitating further attacks. The weakness is identified as CWE‑918.

Affected Systems

Any WordPress installation that includes the Nexa Blocks plugin with a version number of 1.1.1 or earlier is affected. Site administrators using newer versions are not impacted.

Risk and Exploitability

The CVSS score of 4.9 denotes a moderate severity risk. An EPSS score of less than 1% indicates that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an adversary sending a crafted request to a vulnerable endpoint exposed by the plugin; from there, the server could be coerced into contacting arbitrary resources. Defenses such as network segmentation, request validation, and limiting outbound connections reduce exploitability.

Generated by OpenCVE AI on April 30, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nexa Blocks plugin to the latest release that removes the SSRF flaw.
  • If an upgrade is delayed, restrict the plugin’s outbound requests to a whitelist of approved domains or use a local proxy that enforces allowed URLs.
  • Deploy a web application firewall or reverse proxy rule that blocks suspicious or unexpected outbound requests originating from the plugin’s API endpoints.

Generated by OpenCVE AI on April 30, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17226 Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks allows Server Side Request Forgery. This issue affects Nexa Blocks: from n/a through 1.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks allows Server Side Request Forgery. This issue affects Nexa Blocks: from n/a through 1.1.0. Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks nexa-blocks allows Server Side Request Forgery.This issue affects Nexa Blocks: from n/a through <= 1.1.1.
Title WordPress Nexa Blocks <= 1.1.0 - Server Side Request Forgery (SSRF) Vulnerability WordPress Nexa Blocks plugin <= 1.1.1 - Server Side Request Forgery (SSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Fri, 06 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks allows Server Side Request Forgery. This issue affects Nexa Blocks: from n/a through 1.1.0.
Title WordPress Nexa Blocks <= 1.1.0 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.931Z

Reserved: 2025-03-26T09:22:34.906Z

Link: CVE-2025-30976

cve-icon Vulnrichment

Updated: 2025-06-06T16:10:46.790Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:37.310

Modified: 2026-04-23T15:27:26.377

Link: CVE-2025-30976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:30:16Z

Weaknesses