CVE-2026-1830

CRITICAL

Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload

Title source: cna

Description

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

References (4)

https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve

https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39

https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail=

Scores

CVSS v3 9.8

EPSS 0.0024

EPSS Percentile 46.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (1)

davidfcarr/Quick Playground < 1.3.1

Published Apr 09, 2026

Tracked Since Apr 09, 2026