For the uninitiated, Nicepage is a popular proprietary drag-and-drop website builder available as:
It boasts features like responsive design, mega menus, theme building, and over 8,000+ pre-made blocks. Its selling point is visual freedom outside the constraints of standard WordPress themes. However, that very freedom relies on complex DOM manipulations, custom shortcodes, and user-uploaded assets—all potential attack surfaces.
Title: Nicepage Website Builder — Why Low-Code Doesn’t Mean Low-Risk nicepage website builder exploit
Imagine a crafted SVG file uploaded as a "design asset." If Nicepage doesn't sanitize SVG on upload and later renders it inline, an attacker could execute JavaScript in a visitor’s browser — stealing cookies or session tokens.
Set up real-time monitoring for new admin users or unexpected file changes. Use tools like Patchstack or Sucuri for WAF protection. For the uninitiated, Nicepage is a popular proprietary
Add to your functions.php:
add_filter('nicepage_allow_public_upload', '__return_false');
Nicepage is a website builder that allows users to create professional-looking websites without needing to know how to code. It's designed to be user-friendly, offering drag-and-drop functionality, a variety of templates, and customization options. It boasts features like responsive design, mega menus,
Even for logged-in editors, Nicepage failed to properly sanitize custom CSS classes and inline styles. Attackers with author-level access (or via CSRF) could inject JavaScript into button hover states or custom HTML blocks. This payload would fire whenever any visitor viewed the page.