Description
Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a deserialization flaw that permits untrusted data to be processed as PHP objects, enabling object injection. An attacker can inject crafted serialized payloads into the Nexa Blocks plugin, potentially executing arbitrary code within the WordPress site and compromising confidentiality, integrity, and availability. The CVSS score of 9.8 reflects the high severity and the full compromise risk.

Affected Systems

The affected product is the Nexa Blocks plugin for WordPress, supplied by wpdive. All releases up to and including version 1.1.1 are vulnerable. No additional version details are listed in the advisory.

Risk and Exploitability

The EPSS score indicates the exploit probability is low (<1%), but the vulnerability remains highly dangerous. It is not currently listed in the CISA KEV catalog, suggesting no known public exploitation yet. The likely attack vector involves an attacker sending a maliciously crafted HTTP request containing a serialized object payload to the plugin’s endpoints, which the plugin processes without sufficient validation. The vulnerability’s impact allows an attacker to gain full control over the affected WordPress site.

Generated by OpenCVE AI on March 26, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Nexa Blocks to the latest version (or any release beyond 1.1.1).
  • If an immediate update is not possible, disable the Nexa Blocks plugin until a patch is applied.
  • Regularly monitor the site’s logs for unusual deserialization attempts and keep WordPress core and all plugins up to date to mitigate similar issues.

Generated by OpenCVE AI on March 26, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdive
Wpdive nexa Blocks
Vendors & Products Wordpress
Wordpress wordpress
Wpdive
Wpdive nexa Blocks

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1.
Title WordPress Nexa Blocks plugin <= 1.1.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
Wpdive Nexa Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:44:43.288Z

Reserved: 2026-02-02T12:53:34.262Z

Link: CVE-2026-25429

cve-icon Vulnrichment

Updated: 2026-03-26T15:40:58.523Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:50.460

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:45Z

Weaknesses