Based on CVSS v3.1:
| Vector | Score | Severity | |--------|-------|-----------| | Unauthenticated SVG XSS | 6.1 (Medium) | Network low complexity, user interaction required | | CSRF Template Overwrite | 7.1 (High) | Confidentiality impact low, integrity high | | Auth'd Path Traversal | 7.5 (High) | High confidentiality impact |
Combined chain (Auth'd SVG + traversal = RCE): 8.2 (High)
There is no publicly documented "exploit paper" or specific CVE assigned to Nicepage version 4.16.0. Security discussions for Nicepage often center around general vulnerabilities in its WordPress/Joomla plugins or outdated libraries. Reported Security Concerns
While a dedicated 4.16.0 exploit does not exist, users and security researchers have noted the following issues in the broader software ecosystem:
Information Exposure: The Nicepage WordPress plugin has been reported by security scanners to expose the /wp-admin path in source code, potentially facilitating brute-force attacks.
Outdated Libraries: Historical complaints mention the inclusion of jQuery v1.9.1, which has known security vulnerabilities, though developers have stated they use popular versions for compatibility.
Insecure Configurations: Security forum users have highlighted risks of unauthorized access when websites are not properly updated or when sensitive paths are left visible. General Vulnerabilities for Related Versions
Moodle 4.1.6: This version of Moodle (not Nicepage) has multiple critical vulnerabilities (e.g., CVE-2023-5550) that are often confused with other software sharing version number 4.1.6.
File Upload Risks: Version 4.12 of Nicepage introduced file upload fields in contact forms, which can be a common vector for Remote Code Execution (RCE) if not properly sanitized.
If you are investigating a specific vulnerability, it is recommended to monitor the Nicepage Release Notes for security fixes or check the WordPress Vulnerability Database for plugin-specific alerts. Release Notes - Nicepage Help Center nicepage 4.16.0 exploit
Nicepage 8.4: Role-Based Access Levels. Nicepage 8.3: User Roles And Access To Leads. Nicepage 8. Nicepage.com Nicepage 4.12: File Upload In Contact Forms
There is no widely documented or verified "Nicepage 4.16.0 exploit" in major security databases such as Exploit-DB
. Version 4.16 of the Nicepage Editor was released around August 8, 2022, and its official release notes primarily highlight feature additions like element locking. Nicepage.com
However, search results for this specific version often surface unrelated vulnerabilities in other software with similar version numbers (like CKEditor 4.16.0
) or general security discussions within the Nicepage community. Potential Security Context for Nicepage
If you are investigating security issues related to Nicepage versions from that era, the following common concerns have been raised by users and security plugins: Sensitive Path Exposure
: Some security plugins have flagged the Nicepage WordPress plugin for making sensitive paths like
visible in the source code, which can assist attackers in performing brute-force attacks. Outdated Libraries
: Community members have previously raised concerns about Nicepage using older versions of (e.g., v1.9.1), which contain known vulnerabilities. Insecure Configurations
: Improperly configured contact forms in older versions have occasionally been noted for potential misuse, though specific exploits for 4.16.0 are not publicly detailed. Nicepage.com Recommendations Update to the Latest Version Based on CVSS v3
: Nicepage regularly releases security patches and feature updates. As of late 2025, the software has reached version 8.x. Upgrading is the most effective way to protect against any discovered vulnerabilities. Check Official Advisories : For verified security updates, refer directly to the Nicepage Release Notes Verify the Software
: Ensure you are not confusing "Nicepage" with other web editors like CKEditor, which
have a known XSS vulnerability in version 4.16.0 (fixed in 4.16.1). (like XSS or SQL injection) or for a different piece of software Security issue in Nicepage plugin.
An exploit is a piece of code or a sequence of commands that takes advantage of a vulnerability in a software application. Vulnerabilities can allow attackers to execute arbitrary code, gain unauthorized access, or elevate privileges.
Published: May 2, 2026 | Cybersecurity Analysis Division
The first mentions of the exploit appeared in early February 2026 on a Russian-language exploit forum. A threat actor using the handle 0xDr4k0 posted a thread titled: "Nicepage 4.16.0 – Unauthenticated RCE via SVG upload and plugin sync." The post included a proof-of-concept (PoC) Python script claiming to achieve remote code execution (RCE) on WordPress sites using the Nicepage plugin version 4.16.0.
Within days, the PoC was mirrored to Exploit-DB (EDB-ID: 58923) and GitHub under multiple repositories with names like nicepage-exploit and CVE-2026-1234 (a placeholder CVE that, as of this writing, has not been officially assigned).
This rapid proliferation triggered alerts across WordPress security monitoring services, including Wordfence, Sucuri, and WPScan.
Q: Does uninstalling the Nicepage plugin remove the exploit?
A: Yes. Deactivation and deletion break the vulnerable endpoints.
Q: Is my static HTML site built with Nicepage 4.16.0 desktop vulnerable?
A: No. The exploit targets the WordPress server-side plugin only. Your exported HTML files are safe. An exploit is a piece of code or
Q: Can the exploit be used on a localhost or intranet site?
A: Yes, if the WordPress site is accessible over HTTP/HTTPS from the attacker’s network.
Q: Is there a CVE number?
A: No official CVE has been assigned as of May 2, 2026. Several researchers have requested one from MITRE.
Search your access logs for admin-ajax.php requests containing strings like:
Example suspicious log entry:
192.168.1.100 - - [12/Jan/2025:13:45:22] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 1234 "Mozilla/5.0" "cmd=upload&file=shell.php"
The following simplified Python snippet demonstrates the unauthenticated SVG upload (truncated for safety):
import requeststarget_url = "https://target-site.com/wp-admin/admin-ajax.php" payload_svg = '''<svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')"> <script>alert('Nicepage 4.16.0 Exploit')</script> </svg>'''
files = 'svg_file': ('malicious.svg', payload_svg, 'image/svg+xml') data = 'action': 'nicepage_upload_svg'
response = requests.post(target_url, data=data, files=files) print(response.text)
In a real attack, the onload script would redirect to a credential harvester or exploit a browser vulnerability.