Description
The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due to the import_demo() function accepting a user-supplied URL in the demo_json_file POST parameter and passing it directly to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nexa_blocks_nonce required for the AJAX action is publicly exposed in the HTML source of any frontend page where the plugin is active via wp_localize_script on the enqueue_block_assets hook, effectively making the nonce available to all visitors and bypassing any intended authentication barrier. This makes it possible for unauthenticated attackers to make server-side HTTP requests to arbitrary internal or external destinations, potentially exposing internal services, cloud metadata endpoints such as the AWS instance metadata service, localhost services, and other resources not intended to be publicly accessible. A secondary SSRF vector also exists whereby image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second wp_remote_get() call, allowing chained exploitation through a crafted JSON payload.
Published: 2026-05-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Nexa Blocks plugin for WordPress contains a blind SSRF vulnerability in its import_demo() function. The plugin accepts a user‑supplied URL via the demo_json_file POST parameter and forwards it directly to wp_remote_get() without validating or restricting the target address. Because the nonce required for the AJAX action is publicly exposed in the front‑end markup, any visitor can trigger this endpoint, bypassing any intended authentication. This allows an attacker to instruct the server to fetch arbitrary internal or external URLs, potentially exposing web‑accessible services, cloud metadata endpoints, and other private resources. The vulnerability also includes a secondary SSRF vector where image URLs extracted from a crafted JSON response are subsequently fetched by a second wp_remote_get() call, enabling chained exploitation.

Affected Systems

WordPress sites running Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin version 1.1.1 or earlier are affected. This applies to any site where the plugin is active, regardless of the server’s network configuration.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity issue. Because the nonce is publicly exposed and the SSRF endpoint can target any network destination, an unauthenticated attacker can easily exploit the flaw to reach internal services. The EPSS score is not available, so the exact exploitation probability is uncertain, but the lack of authentication and the broad reach of the SSRF flag a realistic threat. The vulnerability is not listed in CISA’s KEV catalog, yet SSRF attacks are common and the plugin’s popularity increase the potential impact.

Generated by OpenCVE AI on May 20, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Nexa Blocks release that removes the SSRF flaw as soon as it becomes available.
  • If the update cannot be applied immediately, disable or delete the import_demo feature—removing or commenting out the related Ajax handler and disallowing wp_remote_get() from that endpoint.
  • Configure a firewall or use a security plugin to block outbound HTTP requests to private or internal IP ranges from WordPress, thereby preventing the server from accessing unintended internal resources.

Generated by OpenCVE AI on May 20, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdive
Wpdive nexa Blocks – Gutenberg Blocks, Page Builder For Gutenberg Editor & Fse
Vendors & Products Wordpress
Wordpress wordpress
Wpdive
Wpdive nexa Blocks – Gutenberg Blocks, Page Builder For Gutenberg Editor & Fse

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due to the import_demo() function accepting a user-supplied URL in the demo_json_file POST parameter and passing it directly to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nexa_blocks_nonce required for the AJAX action is publicly exposed in the HTML source of any frontend page where the plugin is active via wp_localize_script on the enqueue_block_assets hook, effectively making the nonce available to all visitors and bypassing any intended authentication barrier. This makes it possible for unauthenticated attackers to make server-side HTTP requests to arbitrary internal or external destinations, potentially exposing internal services, cloud metadata endpoints such as the AWS instance metadata service, localhost services, and other resources not intended to be publicly accessible. A secondary SSRF vector also exists whereby image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second wp_remote_get() call, allowing chained exploitation through a crafted JSON payload.
Title Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdive Nexa Blocks – Gutenberg Blocks, Page Builder For Gutenberg Editor & Fse
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T13:52:15.543Z

Reserved: 2026-04-15T20:12:37.007Z

Link: CVE-2026-6394

cve-icon Vulnrichment

Updated: 2026-05-20T13:51:21.178Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:37.490

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-6394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:20Z

Weaknesses