Server-Side Request Forgery in Nexa Blocks Plugin for WordPress
CVE-2026-6394

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Nexa Blocks – Gutenberg Blocks, Page Builder For Gutenberg Editor & Fse
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-6394?

The Nexa Blocks plugin for WordPress is exposed to a server-side request forgery vulnerability due to improper handling of user-supplied URLs. The plugin's import_demo() function directly processes a POST parameter without validating the input, allowing attackers to make HTTP requests to potentially sensitive internal services or unauthorized external destinations. Additionally, the visibility of the nexa_blocks_nonce in the frontend HTML exposes it to anyone accessing the page, leading to possible exploitation through unauthenticated requests. The vulnerability can be further exploited as crafted JSON payloads can lead to additional SSRF attacks via subsequent image URL requests.

Affected Version(s)

Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE 0 <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/nexa-blocks/tr...

https://plugins.trac.wordpress.org/browser/nexa-blocks/ta...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Patryk Siewert

CVE-2026-6394 Data

JSON