Nexter Blocks <= 4.7.0 - Unauthenticated Information Exposure
Description
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=4.7.0What Changed in the Fix
Changes introduced in v4.7.1
Source Code
WordPress.org SVNThis research plan targets **CVE-2026-39516** (Information Exposure) in the Nexter Blocks plugin. The vulnerability allows unauthenticated users to access sensitive post content and configuration data by abusing the `tpgb_get_template_content` AJAX action. ### 1. Vulnerability Summary The Nexter Bl…
Show full research plan
This research plan targets CVE-2026-39516 (Information Exposure) in the Nexter Blocks plugin. The vulnerability allows unauthenticated users to access sensitive post content and configuration data by abusing the tpgb_get_template_content AJAX action.
1. Vulnerability Summary
The Nexter Blocks plugin registers an AJAX action tpgb_get_template_content for both authenticated and unauthenticated users. This function is intended to fetch and render "Template" content for blocks like Tabs or Accordions. However, in version 4.7.0 and below, the handler lacks:
- Permission Checks: It does not verify if the user has the
edit_postsorread_private_postscapability. - Post Status Checks: It does not restrict access to "Published" posts, allowing "Private" or "Draft" posts to be retrieved.
- Post Type Restrictions: It often allows any post ID to be passed, leading to the disclosure of any post, page, or template content.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
tpgb_get_template_content - Method:
POST - Parameters:
action:tpgb_get_template_content(Required)template_id: The ID of the post/template to expose (Required)security: A WordPress nonce for the actiontpgb-ajax-nonce(Required in most configurations)
- Authentication: Unauthenticated (
wp_ajax_nopriv_)
3. Code Flow
- Registration: In
classes/tp-block-helper.php, the__construct()method registers the AJAX hooks:add_action('wp_ajax_tpgb_get_template_content', array($this, 'tpgb_get_template_content')); add_action('wp_ajax_nopriv_tpgb_get_template_content', array($this, 'tpgb_get_template_content')); - Execution: When the endpoint is called,
Tp_Blocks_Helper::tpgb_get_template_content()is executed. - Vulnerable Sink: (Inferred from standard Nexter Blocks logic) The function retrieves
template_idfrom$_POST, callsget_post($template_id), and echoes$post->post_contentafter runningdo_shortcode(). - Bypass: Because no capability check (
current_user_can) or post status check is performed, any ID is processed.
4. Nonce Acquisition Strategy
The plugin localizes the necessary nonce in a global JavaScript object. To obtain it unauthenticated:
- Identify Trigger: The scripts are enqueued when a Nexter block is present. We will create a public page with a simple Nexter shortcode.
- Create Trigger Page:
wp post create --post_type=page --post_title="Nonce Page" --post_status=publish --post_content='[tp_accordion]' - Localization Variable: Verbatim from plugin JS logic, the object is
tpgblocalizeand the nonce key isnonce. - Extraction:
- Navigate to the "Nonce Page".
- Execute:
browser_eval("window.tpgblocalize?.nonce")to retrieve thetpgb-ajax-nonce.
5. Exploitation Strategy
- Phase 1: Information Gathering
- Determine a target Post ID (e.g., iterate IDs or target known IDs like 1).
- Phase 2: Nonce Extraction
- Use the
browser_evalmethod described above.
- Use the
- Phase 3: Payload Delivery
- Send a POST request to
admin-ajax.php. - URL:
http://<target>/wp-admin/admin-ajax.php - Body (URL-encoded):
action=tpgb_get_template_content&template_id=<TARGET_ID>&security=<NONCE>
- Send a POST request to
- Phase 4: Data Extraction
- The response will contain the raw and processed content of the target post, including any sensitive information inside.
6. Test Data Setup
To demonstrate the impact, we must create a private post containing a secret:
# Create a private post with a secret FLAG
wp post create --post_type=post --post_title="Secret Management" --post_content="CONFIDENTIAL_API_KEY_12345" --post_status=private
# Create a template (Nexter's own post type) which might hold config
wp post create --post_type=tpgb_templates --post_title="Header Config" --post_content="[tp_search_bar placeholder='Search secrets...']" --post_status=publish
# Create the public page for nonce extraction
wp post create --post_type=page --post_title="Public View" --post_status=publish --post_content='[tp_accordion]'
7. Expected Results
- The AJAX request will return a
200 OKresponse. - The body of the response will contain the string
CONFIDENTIAL_API_KEY_12345. - Even if the user is not logged in, they can view the content of a post marked as "Private".
8. Verification Steps
- Verify Content Exposure:
Check the HTTP response body from the exploit for the known secret string. - Verify Post Status:
Use WP-CLI to confirm the post was indeed private:wp post get <ID> --field=post_status(Should beprivate). - Verify Authentication:
Ensure thehttp_requesttool was used without anyCookieheaders representing a logged-in session.
9. Alternative Approaches
- Configuration Leak: Target the
tpgb_templatespost type. These templates often contain the structural metadata and shortcode attributes of the site builder, which may include Mailchimp API keys or Google Maps keys stored as block attributes. - Blind ID Brute Force: If the target post ID is unknown, the agent can loop through IDs 1-100 to discover sensitive content.
- nxt_form_action: If
tpgb_get_template_contentis patched or restricted, investigate thenxt_form_actionaction inTp_Blocks_Helper, which might expose form submission data or recipient email addresses.
Summary
The Nexter Blocks plugin for WordPress is vulnerable to unauthenticated sensitive information exposure via the tpgb_get_template_content AJAX action. This allows attackers to access the content of private or draft posts and templates because the plugin fails to verify user permissions and post visibility status before rendering content.
Vulnerable Code
// classes/tp-block-helper.php:58-59 add_action('wp_ajax_tpgb_get_template_content', array($this, 'tpgb_get_template_content')); add_action('wp_ajax_nopriv_tpgb_get_template_content', array($this, 'tpgb_get_template_content')); --- // classes/tp-block-helper.php:1684 (inferred logic from patch context) $content = $content_post->post_content; $content = apply_filters('the_content', $content); wp_send_json_success($content);
Security Fix
@@ -1684,6 +1684,16 @@ wp_send_json_error($content); return; } + + if ( $content_post->post_status !== 'publish' && ! current_user_can( 'edit_posts' ) ) { + wp_send_json_error( 'Block not available.' ); + return; + } + + if ( ! current_user_can( 'read_post', $post_id ) && $content_post->post_status !== 'publish' ) { + wp_send_json_error( 'Block not available.' ); + return; + } $content = $content_post->post_content; $content = apply_filters('the_content', $content);
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker first obtains a valid AJAX nonce by visiting any public page where Nexter Blocks are active and extracting the 'nonce' value from the 'tpgblocalize' JavaScript object. The attacker then sends an unauthenticated POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'tpgb_get_template_content', the 'security' parameter set to the retrieved nonce, and the 'template_id' parameter set to the ID of the target private or draft post. The server will respond with the full, rendered content of the requested post, effectively bypassing WordPress's standard access controls for non-public content.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.