{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25429", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:34.262Z", "datePublished": "2026-03-25T16:14:49.161Z", "dateUpdated": "2026-03-25T16:14:49.161Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "nexa-blocks", "product": "Nexa Blocks", "vendor": "wpdive", "versions": [{"lessThanOrEqual": "<= 1.1.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.196Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.<p>This issue affects Nexa Blocks: from n/a through <= 1.1.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:49.161Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/nexa-blocks/vulnerability/wordpress-nexa-blocks-plugin-1-1-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Nexa Blocks plugin <= 1.1.1 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1."}], "id": "CVE-2026-25429", "lastModified": "2026-03-25T17:16:50.460", "metrics": {}, "published": "2026-03-25T17:16:50.460", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/nexa-blocks/vulnerability/wordpress-nexa-blocks-plugin-1-1-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:53:26.663098+00:00", "value": {"mitigation_remediation": ["Upgrade Nexa Blocks to a version newer than 1.1.1 when an update is released", "If no update is available, disable or uninstall the Nexa Blocks plugin to eliminate the vulnerable code path", "Monitor WordPress logs for unexpected object serialization or deserialization activity that could indicate an attempt to exploit the plugin", "Apply general WordPress hardening: keep core and all plugins updated, limit file uploads, and sanitize all user inputs"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Nexa Blocks plugin version 1.1.1 or earlier are affected. The flaw exists in all releases through 1.1.1, regardless of release date.", "description_and_impact": "The vulnerability is a deserialization flaw that permits attackers to inject arbitrary PHP objects into the Nexa Blocks plugin. By manipulating untrusted input that is deserialized, an attacker could instantiate malicious objects and thus execute arbitrary code on the server, compromising the confidentiality, integrity, and availability of the WordPress site.", "risk_and_exploitability": "Object injection is a high\u2011severity weakness and commonly leads to remote code execution. The CVSS score is not provided in the report, but the nature of the flaw suggests a high risk. EPSS scoring is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw through any user input that triggers deserialization\u2014likely via crafted POST requests or encoded payloads\u2014without requiring authentication if the plugin processes public input."}}}}, "created": "2026-03-25T21:44:30.939043+00:00", "updated": "2026-03-25T21:44:30.939069+00:00", "vendors": []}