Deserialization of Untrusted Data Vulnerability in Nexa Blocks Plugin by Wpdive
CVE-2026-25429

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Nexa Blocks
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-25429?

A deserialization of untrusted data vulnerability exists in the Nexa Blocks plugin for WordPress, allowing for potential object injection. This vulnerability can be exploited to manipulate serialized data, leading to unauthorized access or control over the application's functions. The affected versions include all versions up to and including 1.1.1. It is critical for users of Nexa Blocks to update to the latest version to mitigate the risks associated with this issue.

Affected Version(s)

Nexa Blocks 0 <= 1.1.1

References

https://patchstack.com/database/Wordpress/Plugin/nexa-blo...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Feb 2, 2026

Credit

Nabil Irawan | Patchstack Bug Bounty Program

CVE-2026-25429 Data

JSON