CVE-2026-6394 Overview
The Nexa Blocks Gutenberg Blocks plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting all versions up to and including 1.1.1. The import_demo() function accepts a user-supplied URL via the demo_json_file POST parameter and passes it directly to wp_remote_get() without validation. The required nexa_blocks_nonce is publicly exposed in the HTML source of any frontend page where the plugin is active, eliminating the intended authentication barrier. Unauthenticated attackers can issue server-side HTTP requests to arbitrary internal or external destinations.
Critical Impact
Unauthenticated SSRF enables attackers to reach internal services, localhost endpoints, and cloud metadata APIs such as the AWS instance metadata service from any vulnerable WordPress host.
Affected Products
- Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress
- Versions up to and including 1.1.1
- All WordPress installations with the plugin active on a public-facing page
Discovery Timeline
- 2026-05-20 - CVE-2026-6394 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-6394
Vulnerability Analysis
The vulnerability resides in the plugin's demo import workflow. The import_demo() AJAX handler reads the demo_json_file POST parameter and forwards the attacker-supplied URL into wp_remote_get() with no allowlist, scheme restriction, or check against private network ranges. The handler is gated only by a WordPress nonce named nexa_blocks_nonce, but the plugin publishes that nonce through wp_localize_script on the enqueue_block_assets hook. Any unauthenticated visitor can scrape the nonce from page source and invoke the AJAX endpoint.
A secondary SSRF vector compounds the impact. Image URLs parsed from the attacker-controlled JSON response are fetched through a second wp_remote_get() call, enabling chained requests where the first response dictates the second target.
Root Cause
The root cause is missing input validation on a network-bound URL parameter combined with broken access control. The nonce, intended as a CSRF and authentication barrier, is leaked to every site visitor. Neither URL parsing nor destination filtering occurs before the outbound request, so loopback addresses, link-local ranges, and cloud metadata IPs remain reachable from the WordPress server context.
Attack Vector
An unauthenticated remote attacker first retrieves the public nonce from any frontend page that loads the plugin's assets. The attacker then submits an AJAX request to the import_demo action with demo_json_file set to a target URL. The WordPress host issues the request and returns or processes the response. Targets typically include http://169.254.169.254/latest/meta-data/ for AWS metadata, internal admin panels bound to 127.0.0.1, and intranet services reachable from the server's network position.
No verified public exploit code is available. See the Wordfence Vulnerability Report and the Nexa Blocks enqueue-assets.php source for technical references.
Detection Methods for CVE-2026-6394
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=import_demo and a demo_json_file parameter pointing to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16).
- Outbound HTTP requests from the WordPress server to 169.254.169.254, the AWS instance metadata endpoint.
- Unexpected wp_remote_get user-agent traffic targeting non-public hostnames or loopback ports.
Detection Strategies
- Inspect web server access logs for POST bodies referencing import_demo and URL schemes other than expected demo content hosts.
- Correlate AJAX requests against egress proxy logs to identify outbound calls triggered by anonymous sessions.
- Alert on any process associated with PHP-FPM or Apache initiating connections to private IP space or cloud metadata addresses.
Monitoring Recommendations
- Enable egress filtering at the host or VPC level to block server-originated traffic to 169.254.169.254 and RFC1918 ranges.
- Capture and retain WordPress AJAX request logs with full POST bodies for at least 90 days.
- Monitor for the string nexa_blocks_nonce being scraped at unusual rates from public pages.
How to Mitigate CVE-2026-6394
Immediate Actions Required
- Deactivate the Nexa Blocks plugin on all WordPress sites until a patched release is installed.
- Audit cloud workloads for IMDSv1 exposure and migrate to IMDSv2 with required session tokens.
- Review web server logs for prior invocations of the import_demo AJAX action and investigate any responses returning internal data.
Patch Information
No fixed version is referenced in the available advisory data at the time of publication. Track the Wordfence advisory and the Nexa Blocks plugin repository for an updated release beyond 1.1.1.
Workarounds
- Block requests to /wp-admin/admin-ajax.php with action=import_demo at the WAF or reverse proxy layer.
- Enforce IMDSv2 on AWS EC2 instances hosting WordPress to neutralize cloud metadata theft via SSRF.
- Restrict outbound HTTP traffic from the WordPress server to a known allowlist of demo content domains.
- Remove the plugin's frontend asset enqueue so the nonce is no longer exposed to anonymous visitors.
# Example WAF rule (ModSecurity) to block the vulnerable AJAX action
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1026006394,\
msg:'Block Nexa Blocks import_demo SSRF (CVE-2026-6394)'"
SecRule ARGS:action "@streq import_demo" "t:none"
# Enforce IMDSv2 on existing EC2 instance
aws ec2 modify-instance-metadata-options \
--instance-id i-0123456789abcdef0 \
--http-tokens required \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
