Vulnerability Report

CVE-2026-1830

RCE

Title: RCE in Quick Playground WordPress Plugin

Arbitrary File Access

Proof Of Concept

PoC Available for CVE-2026-1830

CWE Category CWE-862

Published Date Apr 09, 2026

Modified Date Apr 24, 2026

Exploit Status Available

Score 9.8 CVSS v3.1

Exploit Probability (EPSS)

2.29%

Vulnerability Summary

CVE-2026-1830: The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

Impacted Vendors

Analysis in Progress...

Reference Links

https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39 https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns