8.2 (High) Proof-of-Concept (Educational Purpose Only) The following simplified Python snippet demonstrates the unauthenticated SVG upload (truncated for safety):
Within days, the PoC was mirrored to Exploit-DB (EDB-ID: 58923) and GitHub under multiple repositories with names like nicepage-exploit and CVE-2026-1234 (a placeholder CVE that, as of this writing, has not been officially assigned). nicepage 4.16.0 exploit
| Vector | Score | Severity | |--------|-------|-----------| | Unauthenticated SVG XSS | 6.1 (Medium) | Network low complexity, user interaction required | | CSRF Template Overwrite | 7.1 (High) | Confidentiality impact low, integrity high | | Auth'd Path Traversal | 7.5 (High) | High confidentiality impact | A threat actor using the handle 0xDr4k0 posted
Version , released in late 2025, was a significant update that introduced dynamic content widgets, improved SVG handling, and a new "remote publish" protocol. The Origin of the 'Nicepage 4.16.0 Exploit' Claims The first mentions of the exploit appeared in early February 2026 on a Russian-language exploit forum. A threat actor using the handle 0xDr4k0 posted a thread titled: "Nicepage 4.16.0 – Unauthenticated RCE via SVG upload and plugin sync." The post included a proof-of-concept (PoC) Python script claiming to achieve remote code execution (RCE) on WordPress sites using the Nicepage plugin version 4.16.0. as of this writing
