CVE-2026-1830

CRITICAL

Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-1830. PoCs published by cardosource.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated remote code execution vulnerability in the Quick Playground for WordPress plugin (version <= 1.3.1) by uploading a malicious PHP file via a REST API endpoint that lacks proper authentication and path traversal validation.

Description

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

Exploits (1)

exploitdb WORKING POC
by cardosource · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52596

This exploit demonstrates an unauthenticated remote code execution vulnerability in the Quick Playground for WordPress plugin (version <= 1.3.1) by uploading a malicious PHP file via a REST API endpoint that lacks proper authentication and path traversal validation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Quick Playground for WordPress <= 1.3.1
No auth needed
Prerequisites: known or predictable sync_code value · access to the REST API endpoint
devstral-2 · analyzed May 30, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0229
EPSS Percentile 80.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-862
Status published
Products (1)
davidfcarr/Quick Playground < 1.3.1
Published Apr 09, 2026
Tracked Since Apr 09, 2026