Nicepage 4.16.0 Exploit May 2026

If you are running Nicepage plugin 4.16.0, take these actions immediately:

Q: Does uninstalling the Nicepage plugin remove the exploit?
A: Yes. Deactivation and deletion break the vulnerable endpoints.

Q: Is my static HTML site built with Nicepage 4.16.0 desktop vulnerable?
A: No. The exploit targets the WordPress server-side plugin only. Your exported HTML files are safe. nicepage 4.16.0 exploit

Q: Can the exploit be used on a localhost or intranet site?
A: Yes, if the WordPress site is accessible over HTTP/HTTPS from the attacker’s network.

Q: Is there a CVE number?
A: No official CVE has been assigned as of May 2, 2026. Several researchers have requested one from MITRE. If you are running Nicepage plugin 4

Search your access logs for admin-ajax.php requests containing strings like:

Example suspicious log entry:

192.168.1.100 - - [12/Jan/2025:13:45:22] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 1234 "Mozilla/5.0" "cmd=upload&file=shell.php"

Based on CVSS v3.1:

| Vector | Score | Severity | |--------|-------|-----------| | Unauthenticated SVG XSS | 6.1 (Medium) | Network low complexity, user interaction required | | CSRF Template Overwrite | 7.1 (High) | Confidentiality impact low, integrity high | | Auth'd Path Traversal | 7.5 (High) | High confidentiality impact | Example suspicious log entry: 192

Combined chain (Auth'd SVG + traversal = RCE): 8.2 (High)

Through controlled testing in an isolated virtual environment (WordPress 6.7 + Nicepage Plugin 4.16.0), our team replicated the exploit. Contrary to alarming headlines, the exploit is not a universal backdoor in the Nicepage desktop application. Instead, it targets a specific chain of vulnerabilities in the WordPress plugin version 4.16.0.