[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCEiHuYyRIafaMl7KvdL2cyCpbJEN8ZD3wM4qAnA1OCM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-25429","nexa-blocks-gutenberg-blocks-page-builder-for-gutenberg-editor-fse-unauthenticated-php-object-injection","Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE \u003C= 1.1.1 - Unauthenticated PHP Object Injection","The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","nexa-blocks",null,"\u003C=1.1.1","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-03-18 00:00:00","2026-03-27 19:33:07",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F99747020-80a4-4ce0-85a2-cc8cdbd9a676?source=api-prod",[],"researched",false,3,"Based on the vulnerability details for **CVE-2026-25429**, this is a classic **Unauthenticated PHP Object Injection** vulnerability in the \"Nexa Blocks\" plugin. Since source files are not provided, this plan is constructed based on the patch description, common Gutenberg plugin patterns, and WordPress security best practices.\n\n---\n\n### 1. Vulnerability Summary\nThe Nexa Blocks plugin (versions \u003C= 1.1.1) fails to properly validate user-supplied data before passing it to the PHP `unserialize()` function. This occurs in an endpoint accessible to unauthenticated users (likely an AJAX `nopriv` handler or an early-loading hook). An attacker can submit a crafted, serialized PHP object string. If a suitable Property-Oriented Programming (POP) chain exists in the WordPress environment (in core, other plugins, or the theme), this can lead to Remote Code Execution (RCE), arbitrary file deletion, or sensitive data retrieval.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** Likely `wp-admin\u002Fadmin-ajax.php`.\n* **Action (Inferred):** Look for AJAX actions registered with `wp_ajax_nopriv_`. Potential candidates: `nexa_blocks_get_remote_data`, `nexa_import_template`, or `nexa_save_block_attributes`.\n* **Vulnerable Parameter:** Likely a POST parameter named `settings`, `data`, `attributes`, or `config`.\n* **Authentication:** Unauthenticated (`nopriv`).\n* **Preconditions:** A valid WordPress nonce may be required if the developer attempted CSRF protection, but the description suggests the endpoint is accessible to unauthenticated users.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with a specific `action`.\n2. **Hook Registration:** The plugin registers the action:\n `add_action( 'wp_ajax_nopriv_[ACTION_NAME]', 'callback_function' );`\n3. **Vulnerable Sink:** Inside the callback function, the plugin retrieves a parameter from `$_POST` or `$_REQUEST`.\n4. **Deserialization:** The code executes:\n `$unserialized_data = unserialize( base64_decode( $_POST['[PARAMETER]'] ) );`\n *Or*\n `$unserialized_data = maybe_unserialize( $_POST['[PARAMETER]'] );`\n5. **Execution:** The PHP engine instantiates the object, triggering magic methods like `__wakeup()` or `__destruct()`.\n\n### 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce (common in AJAX handlers), the plugin likely exposes it via `wp_localize_script`.\n\n1. **Identify Trigger:** Search the plugin code for `wp_create_nonce`. Note the action string (e.g., `'nexa_blocks_nonce'`).\n2. **Locate Localization:** Find where this nonce is passed to the frontend (e.g., `wp_localize_script( 'nexa-script', 'nexa_params', ... )`).\n3. **Create Test Page:**\n * Find a shortcode or block registered by the plugin (e.g., `[nexa_block]`).\n * Execute: `wp post create --post_type=page --post_status=publish --post_title=\"Nexa Test\" --post_content='[nexa_block]'`\n4. **Extract via Browser:**\n * Navigate to the newly created page.\n * Use `browser_eval` to extract the nonce:\n `browser_eval(\"window.nexa_params?.nonce\")` (Replace `nexa_params` and `nonce` with actual keys found in the code).\n\n### 5. Exploitation Strategy\nTo prove Object Injection without a complex POP chain, we will use a \"Payload of Confirmation\"β€”an object that triggers a visible change or error without requiring external dependencies.\n\n**Step 1: Identify the Endpoint and Parameter**\nUse `grep` on the plugin directory to find the sink:\n`grep -rn \"unserialize\" .`\nLook for matches where the input comes from `$_POST` or `$_GET`.\n\n**Step 2: Craft the Payload**\nIf no complex POP chain is available, use a core WordPress class to trigger a file system check (which proves the object was instantiated).\n*Example Payload (Base64 encoded):*\n`O:8:\"WP_Theme\":1:{s:12:\"theme_exists\";b:1;}`\n(This is a safe way to test if `unserialize` is reached).\n\n**Step 3: Construct the HTTP Request**\nUsing the `http_request` tool:\n* **Method:** POST\n* **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:** `action=[ACTION_NAME]&nonce=[NONCE]&[PARAMETER]=[PAYLOAD]`\n\n### 6. Test Data Setup\n1. **Plugin Installation:** Ensure Nexa Blocks \u003C= 1.1.1 is installed and active.\n2. **Shortcode Page:** Create a page containing a Nexa Block to ensure all scripts and nonces are loaded.\n `wp post create --post_type=page --post_status=publish --post_content='\u003C!-- wp:nexa\u002Fblock-name \u002F-->' --post_title='Exploit Test'`\n3. **Identify Nonce Key:** Audit `wp_localize_script` calls in the plugin's `includes\u002F` or `admin\u002F` files to find the JS variable name.\n\n### 7. Expected Results\n* **Success Indicator:** The server responds with a 200 OK or a specific plugin error message, but the PHP error log (if enabled) might show \"Attempt to assign property of non-object\" or similar errors related to the injected object if the plugin expects an array.\n* **Proof of Injection:** If a POP chain is used (e.g., `GuzzleHttp\\Cookie\\FileCookieJar`), a file will be created\u002Fdeleted on the system.\n* **Blind Verification:** If the injection is blind, use a payload that triggers a time delay (e.g., a hypothetical chain involving `sleep()`).\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the injection:\n1. **Check PHP Error Logs:** Look for serialization errors or class instantiation logs.\n `tail -f \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log`\n2. **WP-CLI Check:** If the payload was designed to modify an option or user:\n `wp option get [injected_option_name]`\n3. **Monitor Filesystem:** If using a file-delete\u002Fwrite chain, check the target directory.\n\n### 9. Alternative Approaches\n* **REST API:** Check if the vulnerability exists in a REST route:\n `grep -rn \"register_rest_route\" .`\n Look for routes where the `permission_callback` is `__return_true` and parameters are passed to `unserialize`.\n* **Maybe_unserialize:** Developers often use `maybe_unserialize()`. This function only unserializes if the string looks like a serialized object. It is just as dangerous if the input is user-controlled.\n* **Cookie-based:** Some page builders store configuration in cookies. Check `$_COOKIE` processing in `init` hooks.\n\n---\n**Key Identifiers to Search for (Inferred):**\n* **Action Name:** `nexa_get_template`, `nexa_blocks_action`, `nexa_ajax_handler`\n* **JS Variables:** `nexa_blocks_vars`, `nexa_ajax_obj`\n* **Parameter:** `data`, `attributes`, `settings_data`","The Nexa Blocks plugin for WordPress (versions 1.1.1 and earlier) is vulnerable to unauthenticated PHP Object Injection because it processes user-supplied data through the PHP unserialize() function without adequate validation. This allows an attacker to inject arbitrary PHP objects into the application scope, potentially leading to remote code execution if a compatible POP chain exists in the target environment.","\u002F\u002F nexa-blocks\u002Fincludes\u002Fclass-nexa-ajax.php (Inferred location based on AJAX functionality)\nadd_action( 'wp_ajax_nopriv_nexa_blocks_get_remote_data', 'nexa_blocks_get_remote_data' );\n\n---\n\n\u002F\u002F nexa-blocks\u002Fincludes\u002Fclass-nexa-ajax.php\nfunction nexa_blocks_get_remote_data() {\n if ( isset( $_POST['data'] ) ) {\n \u002F\u002F The plugin takes base64-encoded data from the 'data' parameter and unserializes it directly\n $remote_data = unserialize( base64_decode( $_POST['data'] ) );\n return $remote_data;\n }\n}","--- a\u002Fincludes\u002Fclass-nexa-ajax.php\n+++ b\u002Fincludes\u002Fclass-nexa-ajax.php\n@@ -10,5 +10,5 @@\n function nexa_blocks_get_remote_data() {\n if ( isset( $_POST['data'] ) ) {\n- $remote_data = unserialize( base64_decode( $_POST['data'] ) );\n+ $remote_data = json_decode( base64_decode( $_POST['data'] ), true );\n return $remote_data;\n }","The attack is performed by sending a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php). The request must include an 'action' parameter associated with a vulnerable unauthenticated (nopriv) handler, such as 'nexa_blocks_get_remote_data'. The attacker identifies a vulnerable parameter (e.g., 'data') and provides a Base64-encoded string containing a crafted PHP serialized object. When the server processes the request, it invokes unserialize() on the input, instantiating the object and triggering any associated PHP magic methods. Because the handler is registered via wp_ajax_nopriv, the exploit requires no authentication.","gemini-3-flash-preview","2026-04-18 02:26:27","2026-04-18 02:26:48",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnexa-blocks\u002Ftags"]