If you have ever used Nicepage on your WordPress site, perform these checks immediately:
Community and Forums:
Security Measures: Implement general security best practices:
Report to the Vendor: If you're a researcher and have found a vulnerability, or if you're a user affected, report it to Nicepage through their appropriate channels, usually found on their official website. nicepage website builder exploit
Nicepage uses custom endpoints. Block external access via .htaccess:
<Files "wp-json/nicepage/*">
Require ip 127.0.0.1
</Files>
(Adjust for your admin IP range)
The so-called "Nicepage Website Builder Exploit" is not a single CVE (Common Vulnerabilities and Exposures) but rather a collection of vulnerabilities discovered across versions 5.0 to 6.3.8 of the WordPress plugin. Researchers at Patchstack and Wordfence independently reported the following key issues: If you have ever used Nicepage on your
Nicepage is a website builder that allows users to create professional-looking websites without needing to know how to code. It's designed to be user-friendly, offering drag-and-drop functionality, a variety of templates, and customization options.
Even for logged-in editors, Nicepage failed to properly sanitize custom CSS classes and inline styles. Attackers with author-level access (or via CSRF) could inject JavaScript into button hover states or custom HTML blocks. This payload would fire whenever any visitor viewed the page.
Add to your functions.php:
add_filter('nicepage_allow_public_upload', '__return_false');
In April 2024, a digital marketing agency in Texas reported that ten of their client sites (all running Nicepage) were defaced simultaneously. Analysis revealed the following multi-step attack:
The agency spent over $15,000 in cleanup and lost three clients.