If your site currently runs Nicepage 4.5.4, consider it compromised. Follow these steps immediately:
By manipulating the template parameter, an attacker could force the plugin to read and execute arbitrary files on the server via PHP’s include() function.
Example Malformed Request:
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target-site.com Content-Type: application/x-www-form-urlencoded
action=nicepage_activate_theme&template=../../../../wp-config.php%00
This request would retrieve the wp-config.php file, exposing database credentials.
The Nicepage team released version 4.5.5 and subsequent patches (4.6.0+) that: nicepage 4.5.4 exploit
Action: Go to WordPress Admin > Plugins > Installed Plugins and update Nicepage to the latest version (4.10+ as of 2025).
