Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Security & Risk Analysis

The nexa-blocks plugin v1.1.1 presents a mixed security posture. While it demonstrates good practices in output escaping and SQL query preparedness, critical security concerns arise from its vulnerability history and unprotected entry points. The plugin has a history of medium severity vulnerabilities, specifically Cross-site Scripting (XSS) and Server-Side Request Forgery (SSRF). The presence of two currently unpatched CVEs from 2025 is a significant red flag, indicating active and potentially exploitable security flaws. Furthermore, the static analysis reveals two REST API routes lacking permission callbacks, creating a direct attack vector that could be leveraged by attackers to perform unauthorized actions. The use of the `unserialize` function, while not directly flagged by taint analysis as critical, is a known source of potential vulnerabilities if not handled with extreme caution and robust input validation.

Overall, the plugin's strengths lie in its diligent output escaping and prepared SQL statements, which are fundamental security practices. However, these are overshadowed by the persistent medium-severity vulnerabilities, the existence of unpatched CVEs, and the presence of unprotected API endpoints. The pattern of XSS and SSRF vulnerabilities suggests potential issues with how user-supplied data is handled. The conclusion is that while some security fundamentals are in place, the plugin has a history of exploitable flaws and introduces new attack surfaces, requiring immediate attention to address the unpatched vulnerabilities and secure the exposed API routes.