Description
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
Published: 2026-04-09
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Quick Playground WordPress plugin is affected by an authorization flaw that allows unauthenticated users to obtain a sync code and upload PHP files via exposed REST API endpoints. This omission in access control enables attackers to perform path‑traversal uploads and subsequently execute arbitrary code on the host server, delivering full control over the application or underlying operating system.

Affected Systems

All installations of the Quick Playground plugin developed by davidfcarr running version 1.3.1 or earlier are susceptible. The vulnerability applies to the WordPress REST API implementation that the plugin exposes for synchronization tasks.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating a critical severity level. No EPSS score is available, and the vulnerability does not appear in the CISA KEV catalog. Because the attack vector requires only unauthenticated access to the REST API, an attacker can exploit the flaw remotely without any prior user interaction. Successful exploitation results in remote code execution, granting the attacker full integrity and confidentiality compromise of the affected site and potentially the entire web server.

Generated by OpenCVE AI on April 9, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Quick Playground to the latest available version (≥1.4.0)
  • If an immediate update is not possible, disable the Quick Playground plugin or remove the vulnerable REST API endpoints from your site
  • Configure your web server or WordPress security plugins to block PHP execution in upload directories or to deny file uploads entirely

Generated by OpenCVE AI on April 9, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Davidfcarr
Davidfcarr quick Playground
Wordpress
Wordpress wordpress
Vendors & Products Davidfcarr
Davidfcarr quick Playground
Wordpress
Wordpress wordpress

Thu, 09 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
Title Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Davidfcarr Quick Playground
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-09T03:25:57.200Z

Reserved: 2026-02-03T14:35:29.820Z

Link: CVE-2026-1830

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T05:16:03.420

Modified: 2026-04-09T05:16:03.420

Link: CVE-2026-1830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:05Z

Weaknesses