MEDIUM
wpdive
CVE published 2026-05-20
CVE-2026-6394
The Nexa Blocks WordPress plugin (versions up to and including 1.1.1) contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to make server-side HTTP requests to arbitrary destinations. The vulnerability stems from two weaknesses: first, the `import_demo()` function accepts a user-supplied URL via the `demo_json_file` POST parameter and passes it directly to `wp_ [truncated]