CVE-2026-39516

Nexter Blocks <= 4.7.0 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.7.1
Patched in
41d
Time to patch

Description

The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=4.7.0
PublishedMarch 26, 2026
Last updatedMay 5, 2026

What Changed in the Fix

Changes introduced in v4.7.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets **CVE-2026-39516** (Information Exposure) in the Nexter Blocks plugin. The vulnerability allows unauthenticated users to access sensitive post content and configuration data by abusing the `tpgb_get_template_content` AJAX action. ### 1. Vulnerability Summary The Nexter Bl…

Show full research plan

This research plan targets CVE-2026-39516 (Information Exposure) in the Nexter Blocks plugin. The vulnerability allows unauthenticated users to access sensitive post content and configuration data by abusing the tpgb_get_template_content AJAX action.

1. Vulnerability Summary

The Nexter Blocks plugin registers an AJAX action tpgb_get_template_content for both authenticated and unauthenticated users. This function is intended to fetch and render "Template" content for blocks like Tabs or Accordions. However, in version 4.7.0 and below, the handler lacks:

  1. Permission Checks: It does not verify if the user has the edit_posts or read_private_posts capability.
  2. Post Status Checks: It does not restrict access to "Published" posts, allowing "Private" or "Draft" posts to be retrieved.
  3. Post Type Restrictions: It often allows any post ID to be passed, leading to the disclosure of any post, page, or template content.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: tpgb_get_template_content
  • Method: POST
  • Parameters:
    • action: tpgb_get_template_content (Required)
    • template_id: The ID of the post/template to expose (Required)
    • security: A WordPress nonce for the action tpgb-ajax-nonce (Required in most configurations)
  • Authentication: Unauthenticated (wp_ajax_nopriv_)

3. Code Flow

  1. Registration: In classes/tp-block-helper.php, the __construct() method registers the AJAX hooks:
    add_action('wp_ajax_tpgb_get_template_content', array($this, 'tpgb_get_template_content'));
    add_action('wp_ajax_nopriv_tpgb_get_template_content', array($this, 'tpgb_get_template_content'));
    
  2. Execution: When the endpoint is called, Tp_Blocks_Helper::tpgb_get_template_content() is executed.
  3. Vulnerable Sink: (Inferred from standard Nexter Blocks logic) The function retrieves template_id from $_POST, calls get_post($template_id), and echoes $post->post_content after running do_shortcode().
  4. Bypass: Because no capability check (current_user_can) or post status check is performed, any ID is processed.

4. Nonce Acquisition Strategy

The plugin localizes the necessary nonce in a global JavaScript object. To obtain it unauthenticated:

  1. Identify Trigger: The scripts are enqueued when a Nexter block is present. We will create a public page with a simple Nexter shortcode.
  2. Create Trigger Page:
    wp post create --post_type=page --post_title="Nonce Page" --post_status=publish --post_content='[tp_accordion]'
  3. Localization Variable: Verbatim from plugin JS logic, the object is tpgblocalize and the nonce key is nonce.
  4. Extraction:
    • Navigate to the "Nonce Page".
    • Execute: browser_eval("window.tpgblocalize?.nonce") to retrieve the tpgb-ajax-nonce.

5. Exploitation Strategy

  1. Phase 1: Information Gathering
    • Determine a target Post ID (e.g., iterate IDs or target known IDs like 1).
  2. Phase 2: Nonce Extraction
    • Use the browser_eval method described above.
  3. Phase 3: Payload Delivery
    • Send a POST request to admin-ajax.php.
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Body (URL-encoded):
      action=tpgb_get_template_content&template_id=<TARGET_ID>&security=<NONCE>
      
  4. Phase 4: Data Extraction
    • The response will contain the raw and processed content of the target post, including any sensitive information inside.

6. Test Data Setup

To demonstrate the impact, we must create a private post containing a secret:

# Create a private post with a secret FLAG
wp post create --post_type=post --post_title="Secret Management" --post_content="CONFIDENTIAL_API_KEY_12345" --post_status=private

# Create a template (Nexter's own post type) which might hold config
wp post create --post_type=tpgb_templates --post_title="Header Config" --post_content="[tp_search_bar placeholder='Search secrets...']" --post_status=publish

# Create the public page for nonce extraction
wp post create --post_type=page --post_title="Public View" --post_status=publish --post_content='[tp_accordion]'

7. Expected Results

  • The AJAX request will return a 200 OK response.
  • The body of the response will contain the string CONFIDENTIAL_API_KEY_12345.
  • Even if the user is not logged in, they can view the content of a post marked as "Private".

8. Verification Steps

  1. Verify Content Exposure:
    Check the HTTP response body from the exploit for the known secret string.
  2. Verify Post Status:
    Use WP-CLI to confirm the post was indeed private:
    wp post get <ID> --field=post_status (Should be private).
  3. Verify Authentication:
    Ensure the http_request tool was used without any Cookie headers representing a logged-in session.

9. Alternative Approaches

  • Configuration Leak: Target the tpgb_templates post type. These templates often contain the structural metadata and shortcode attributes of the site builder, which may include Mailchimp API keys or Google Maps keys stored as block attributes.
  • Blind ID Brute Force: If the target post ID is unknown, the agent can loop through IDs 1-100 to discover sensitive content.
  • nxt_form_action: If tpgb_get_template_content is patched or restricted, investigate the nxt_form_action action in Tp_Blocks_Helper, which might expose form submission data or recipient email addresses.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Nexter Blocks plugin for WordPress is vulnerable to unauthenticated sensitive information exposure via the tpgb_get_template_content AJAX action. This allows attackers to access the content of private or draft posts and templates because the plugin fails to verify user permissions and post visibility status before rendering content.

Vulnerable Code

// classes/tp-block-helper.php:58-59
add_action('wp_ajax_tpgb_get_template_content', array($this, 'tpgb_get_template_content'));
add_action('wp_ajax_nopriv_tpgb_get_template_content', array($this, 'tpgb_get_template_content'));

---

// classes/tp-block-helper.php:1684 (inferred logic from patch context)
$content = $content_post->post_content;
$content = apply_filters('the_content', $content);
wp_send_json_success($content);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/the-plus-addons-for-block-editor/4.7.0/classes/tp-block-helper.php /home/deploy/wp-safety.org/data/plugin-versions/the-plus-addons-for-block-editor/4.7.1/classes/tp-block-helper.php
--- /home/deploy/wp-safety.org/data/plugin-versions/the-plus-addons-for-block-editor/4.7.0/classes/tp-block-helper.php	2026-01-23 09:17:22.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/the-plus-addons-for-block-editor/4.7.1/classes/tp-block-helper.php	2026-03-06 06:21:36.000000000 +0000
@@ -1684,6 +1684,16 @@
                         wp_send_json_error($content);
                         return;
                     }
+				
+					if ( $content_post->post_status !== 'publish' && ! current_user_can( 'edit_posts' ) ) {
+						wp_send_json_error( 'Block not available.' );
+						return;
+					}
+				
+					if ( ! current_user_can( 'read_post', $post_id ) && $content_post->post_status !== 'publish' ) {
+						wp_send_json_error( 'Block not available.' );
+						return;
+					}
 
 					$content = $content_post->post_content;
 					$content = apply_filters('the_content', $content);

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker first obtains a valid AJAX nonce by visiting any public page where Nexter Blocks are active and extracting the 'nonce' value from the 'tpgblocalize' JavaScript object. The attacker then sends an unauthenticated POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'tpgb_get_template_content', the 'security' parameter set to the retrieved nonce, and the 'template_id' parameter set to the ID of the target private or draft post. The server will respond with the full, rendered content of the requested post, effectively bypassing WordPress's standard access controls for non-public content.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.