PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6394 wpdive CVE debrief

The Nexa Blocks WordPress plugin (versions up to and including 1.1.1) contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to make server-side HTTP requests to arbitrary destinations. The vulnerability stems from two weaknesses: first, the `import_demo()` function accepts a user-supplied URL via the `demo_json_file` POST parameter and passes it directly to `wp_remote_get()` without validation or restriction against internal/private network destinations; second, the `nexa_blocks_nonce` required for the AJAX action is exposed in the HTML source of any frontend page where the plugin is active via `wp_localize_script` on the `enqueue_block_assets` hook, making it available to all visitors and bypassing authentication barriers. A secondary SSRF vector exists where image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second `wp_remote_get()` call, enabling chained exploitation through crafted JSON payloads. This could expose internal services, cloud metadata endpoints (including AWS instance metadata), localhost services, and other non-public resources.

Vendor
wpdive
Product
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using Nexa Blocks plugin; security teams managing WordPress deployments in cloud environments (AWS, GCP, Azure); DevSecOps engineers responsible for container and VM instance metadata protection; web application firewall administrators

Technical summary

The vulnerability combines two implementation flaws: (1) cryptographic secret exposure through `wp_localize_script` making the AJAX nonce publicly accessible, and (2) lack of URL validation in `wp_remote_get()` calls. The `import_demo()` function at line 236 of `template.php` accepts arbitrary URLs, while a secondary fetch at line 242 processes image URLs from the JSON response without validation. The nonce exposure at line 84 of `enqueue-assets.php` occurs on the `enqueue_block_assets` hook, which runs on frontend pages. Attackers can chain these weaknesses to perform blind SSRF against internal infrastructure, potentially accessing cloud instance metadata services (169.254.169.254), internal APIs, or localhost services.

Defensive priority

medium

Recommended defensive actions

  • Update Nexa Blocks plugin to version 1.1.2 or later if available
  • If immediate patching is not possible, consider temporarily disabling the plugin or restricting access to WordPress admin AJAX endpoints
  • Implement network-level egress filtering to block outbound requests from the WordPress server to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254/32) and link-local addresses
  • Review WordPress server IAM roles and instance metadata access configurations, particularly for cloud deployments
  • Monitor web server logs for suspicious `demo_json_file` parameters in POST requests to `/wp-admin/admin-ajax.php`
  • Apply principle of least privilege to WordPress server network access

Evidence notes

Vulnerability confirmed via WordPress plugin source code analysis. The nonce exposure is located in `enqueue-assets.php` at line 84, while the SSRF vectors are in `template.php` at lines 236 and 242. Both tagged version 1.1.1 and trunk versions contain the vulnerable code.

Official resources

2026-05-20