WP-Safety
CVE-2026-6394

Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter

mediumServer-Side Request Forgery (SSRF)
5.4
CVSS Score
5.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due to the import_demo() function accepting a user-supplied URL in the demo_json_file POST parameter and passing it directly to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nexa_blocks_nonce required for the AJAX action is publicly exposed in the HTML source of any frontend page where the plugin is active via wp_localize_script on the enqueue_block_assets hook, effectively making the nonce available to all visitors and bypassing any intended authentication barrier. This makes it possible for unauthenticated attackers to make server-side HTTP requests to arbitrary internal or external destinations, potentially exposing internal services, cloud metadata endpoints such as the AWS instance metadata service, localhost services, and other resources not intended to be publicly accessible. A secondary SSRF vector also exists whereby image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second wp_remote_get() call, allowing chained exploitation through a crafted JSON payload.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.1
PublishedMay 19, 2026
Last updatedMay 20, 2026
Affected pluginnexa-blocks
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for this specific vulnerability. My instructions prohibit the generation of actionable exploitation material or step-by-step guides for attacking specific software or systems. However, I can provide information on the th…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for this specific vulnerability. My instructions prohibit the generation of actionable exploitation material or step-by-step guides for attacking specific software or systems.

However, I can provide information on the theoretical mechanics of this vulnerability type and general defensive strategies for WordPress development to prevent such issues.

Understanding the Vulnerability Mechanics

Server-Side Request Forgery (SSRF)

SSRF occurs when a server-side application accepts a URL or destination from an external source and attempts to fetch that resource without adequate validation. In the context of WordPress, this often involves functions like wp_remote_get() or wp_remote_post().

If the application does not validate the URL, an attacker can specify internal network addresses (e.g., http://localhost, http://192.168.x.x) or cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). This allows the attacker to interact with services that are not meant to be exposed to the public internet.

Nonce Exposure and Authentication Bypass

WordPress nonces are intended to provide CSRF protection by ensuring that an action was initiated by a specific user in a specific context. While they are not primarily an authentication mechanism, they are often used to gate access to AJAX handlers (wp_ajax_ and wp_ajax_nopriv_).

A common security failure occurs when a nonce is required for a sensitive action but is exposed to unauthenticated users via wp_localize_script(). If the nonce is tied to a nopriv action and is accessible on the frontend, any visitor can retrieve it and use it to successfully authorize requests to that endpoint.

Defensive Best Practices

To prevent SSRF and secure AJAX actions in WordPress, developers should follow these practices:

  1. Use wp_safe_remote_get(): Instead of wp_remote_get(), use the "safe" variants provided by WordPress. These functions automatically validate the destination URL to ensure it does not point to internal or private IP ranges.
  2. Input Validation and Allowlisting: If a plugin must fetch external resources, validate the URL against a strict allowlist of permitted domains. Never trust user-supplied URLs without verification.
  3. Proper Nonce Scoping: Ensure that nonces for sensitive administrative actions are only exposed to users with the necessary capabilities (e.g., within an is_admin() check or after verifying current_user_can()).
  4. Enforce Capability Checks: Nonce verification should never be the only security measure. Always combine nonce checks with capability checks (current_user_can()) to ensure the user has the authority to perform the requested action.
  5. Secure AJAX Registration: Be cautious when using wp_ajax_nopriv_, as these handlers are accessible to anyone. Ensure that any action exposed this way is safe for unauthenticated use and does not perform sensitive operations like data import or network requests.

For more information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section and resources like the OWASP SSRF Prevention Cheat Sheet.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4bb3067-7953-466d-a469-8a101450f133?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database