Nexa Blocks WordPress Plugin Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Nexa Blocks WordPress plugin, specifically in versions up to and including 1.1.1. The vulnerability arises from the import_demo() function, which accepts a user-supplied URL via the demo_json_file POST parameter. This URL is then passed directly to wp_remote_get() without any validation or restrictions, allowing access to internal or private network destinations. Additionally, the nexa_blocks_nonce required for this AJAX action is publicly available in the HTML source of any frontend page where the plugin is active, bypassing authentication. This vulnerability enables unauthenticated attackers to make server-side HTTP requests to arbitrary destinations, potentially exposing internal services and resources not meant to be public.

Impact

Exploitation of this vulnerability allows for unauthorized server-side HTTP requests to be made, which could be used to access and expose internal services, cloud metadata endpoints, and other private resources.

Reproduction

To reproduce this vulnerability, send a POST request to the import_nexa_demo AJAX action with a URL in the demo_json_file parameter. The request can be made without authentication, as the required nonce is exposed publicly. Once the server processes the request, it will fetch the content from the supplied URL. If the response contains image URLs, they will be automatically downloaded and uploaded to the WordPress media library.