Does Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE have any unpatched vulnerabilities?

Yes — Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE compatible with WordPress 6.8.5?

According to WordPress.org data, Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE 1.1.1 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Security & Risk Analysis

wordpress.org/plugins/nexa-blocks

NexaBlocks is Blocks Library extends the Gutenberg functionality with several unique and feature-rich blocks that help build websites faster .

1K active installs v1.1.1 PHP 7.4+ WP 6.0+ Updated Nov 14, 2025

blockscustom-blockgutenberggutenberg-blocksnexablocks

C · Use Caution

CVEs total3

Unpatched2

Last CVESep 29, 2025

Plugin page Download

Safety Verdict

Is Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Safe to Use in 2026?

Use With Caution

Score 55/100

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

3 known CVEs 2 unpatched Last CVE: Sep 29, 2025Updated 4mo ago

Risk Assessment

The nexa-blocks plugin v1.1.1 presents a mixed security posture. While it demonstrates good practices in output escaping and SQL query preparedness, critical security concerns arise from its vulnerability history and unprotected entry points. The plugin has a history of medium severity vulnerabilities, specifically Cross-site Scripting (XSS) and Server-Side Request Forgery (SSRF). The presence of two currently unpatched CVEs from 2025 is a significant red flag, indicating active and potentially exploitable security flaws. Furthermore, the static analysis reveals two REST API routes lacking permission callbacks, creating a direct attack vector that could be leveraged by attackers to perform unauthorized actions. The use of the `unserialize` function, while not directly flagged by taint analysis as critical, is a known source of potential vulnerabilities if not handled with extreme caution and robust input validation.

Overall, the plugin's strengths lie in its diligent output escaping and prepared SQL statements, which are fundamental security practices. However, these are overshadowed by the persistent medium-severity vulnerabilities, the existence of unpatched CVEs, and the presence of unprotected API endpoints. The pattern of XSS and SSRF vulnerabilities suggests potential issues with how user-supplied data is handled. The conclusion is that while some security fundamentals are in place, the plugin has a history of exploitable flaws and introduces new attack surfaces, requiring immediate attention to address the unpatched vulnerabilities and secure the exposed API routes.

Key Concerns

Two unpatched CVEs (medium severity)
2 REST API routes without permission callbacks
Use of potentially dangerous unserialize() function

Vulnerabilities

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Security Vulnerabilities

CVEs by Year

3 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-8624medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nexa Blocks <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Google Maps Widget

Sep 29, 2025 Patched in 1.1.1 (45d)

CVE-2025-30952medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nexa Blocks <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 5, 2025Unpatched

CVE-2025-30976medium · 6.4Server-Side Request Forgery (SSRF)

Nexa Blocks <= 1.1.0 - Authenticated (Contributor+) Server-Side Request Forgery

Jun 5, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Code Analysis

Dangerous Functions

Raw SQL Queries

9 prepared

Unescaped Output

58 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$args = unserialize(base64_decode($args_encoded));inc\classes\list-ajax.php:19

SQL Query Safety

90% prepared10 total queries

Output Escaping

100% escaped58 total outputs

Data Flows

All sanitized

Data Flow Analysis

6 flows

nexa_load_more_posts (inc\classes\list-ajax.php:6)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Attack Surface

Entry Points14

Unprotected2

AJAX Handlers 8

authwp_ajax_nexa_load_more_postsinc\classes\list-ajax.php:194

noprivwp_ajax_nexa_load_more_postsinc\classes\list-ajax.php:195

authwp_ajax_nexa_form_submitinc\form\form-ajax.php:14

noprivwp_ajax_nexa_form_submitinc\form\form-ajax.php:15

authwp_ajax_import_nexa_demoinc\template\template.php:34

noprivwp_ajax_import_nexa_demoinc\template\template.php:35

authwp_ajax_sync_nexa_datainc\template\template.php:38

noprivwp_ajax_sync_nexa_datainc\template\template.php:39

REST API Routes 6

GET/wp-json/nexa/v1/blocksinc\api\api.php:40

GET/wp-json/nexa/v1/modulesinc\api\api.php:46

GET/wp-json/nexa/v1/apisinc\api\api.php:52

GET/wp-json/nexa/v1/postsinc\api\api.php:58

GET/wp-json/nexa/v1/templatesinc\template\template.php:51

GET/wp-json/nexa/v1/favoritesinc\template\template.php:58

WordPress Hooks 30

actionadmin_initinc\admin\classes\block-settings.php:27

actionadmin_menuinc\admin\classes\dashboard.php:24

actionadmin_enqueue_scriptsinc\admin\classes\enqueue.php:24

filterrender_blockinc\animations\entrance.php:21

actionrest_api_initinc\api\api.php:28

actioninitinc\api\api.php:29

actioninitinc\api\api.php:30

actioninitinc\api\api.php:31

filterrender_blockinc\blocks\blocks_render.php:28

filterrender_blockinc\classes\dynamic-style.php:44

actionwp_enqueue_scriptsinc\classes\dynamic-style.php:47

actionwp_footerinc\classes\dynamic-style.php:49

actionenqueue_block_editor_assetsinc\classes\enqueue-assets.php:40

actionenqueue_block_assetsinc\classes\enqueue-assets.php:41

actionadmin_enqueue_scriptsinc\classes\enqueue-assets.php:42

actionwp_enqueue_scriptsinc\classes\fonts-loader.php:48

actionadmin_enqueue_scriptsinc\classes\fonts-loader.php:49

actionnexablocks_render_blockinc\classes\fonts-loader.php:50

actioninitinc\classes\register-blocks.php:40

filterblock_categories_allinc\classes\register-category.php:40

filterwp_check_filetype_and_extinc\classes\support-svg.php:28

filterupload_mimesinc\classes\support-svg.php:29

actioninitinc\classes\support-svg.php:30

filteruser_has_capinc\classes\support-svg.php:31

actionadmin_headinc\classes\support-svg.php:32

filterrender_block_nexa/forminc\form\render-form.php:25

actionrest_api_initinc\template\template.php:27

actioninitinc\template\template.php:28

actionenqueue_block_editor_assetsinc\template\template.php:31

filterrest_pre_serve_requestinc\template\template.php:68

Maintenance & Trust

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 14, 2025

PHP min version7.4

Downloads13K

Community Trust

Rating100/100

Number of ratings1

Active installs1K

Alternatives

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Alternatives

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

Power-up Gutenberg with advanced blocks for faster website creation. Build your WordPress website effortlessly using powerful building blocks!

1.0M 26 CVEs

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

20+ AI-powered Gutenberg Blocks with endless options, enabling top-notch efficiency for high-performance dynamic website creation.

600K 31 CVEs

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 25 CVEs

Page Builder Gutenberg Blocks – CoBlocks

coblocks

CoBlocks is a suite of page builder WordPress blocks for Gutenberg, with 10+ new blocks and a true page builder experience with rows and columns.

300K 1 unpatched

Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

otter-blocks

Quickly create WordPress pages with 20+ blocks, 100+ ready-to-import designs, and advanced editor extensions. It’s website building, Lego-style!

300K 11 CVEs

Developer Profile

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Developer Profile

wpdive

8 plugins · 7K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

40 days

View full developer profile

Detection Fingerprints

How We Detect Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/nexa-blocks/build/admin/index.js/wp-content/plugins/nexa-blocks/build/admin/style-index.css

Script Paths

/wp-content/plugins/nexa-blocks/build/admin/index.js

Version Parameters

/wp-content/plugins/nexa-blocks/build/admin/index.js?ver=/wp-content/plugins/nexa-blocks/build/admin/style-index.css?ver=

HTML / DOM Fingerprints

CSS Classes

nexa-dashboard

Data Attributes

data-nexa-block-style

JS Globals

nexaDashboard

FAQ