The Nexa Blocks WordPress plugin contains an SSRF vulnerability (CWE-918) due to the import_demo() function accepting unvalidated user input in the demo_json_file POST parameter and passing it directly to wp_remote_get(). The required AJAX nonce is publicly exposed in frontend HTML, allowing unauthenticated attackers to exploit this SSRF to access internal or private network resources, including cloud metadata services like AWS instance metadata. Additionally, a secondary SSRF vector exists through image URLs fetched from attacker-controlled JSON responses, enabling chained exploitation. The vulnerability affects versions up to 1.1.1 and has a CVSS 3.1 base score of 5.4, indicating medium severity. The service is cloud-hosted, and a patch is available.

An unauthenticated attacker can exploit this SSRF vulnerability to make server-side HTTP requests to arbitrary internal or external destinations. This may expose sensitive internal services, cloud metadata endpoints (e.g., AWS instance metadata), localhost services, and other resources not intended to be publicly accessible. The secondary SSRF vector increases the attack surface by allowing chained requests through crafted JSON payloads. The impact includes potential information disclosure and reconnaissance within internal networks or cloud environments.

A patch is available for this vulnerability. Since the affected product is a cloud-hosted service, the vendor manages remediation server-side. Users should verify with the vendor advisory that the patch has been applied. No additional action is required if the vendor confirms mitigation. If not confirmed, users should avoid using affected plugin versions and monitor vendor communications for updates.