Description
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.
Published: 2026-06-06
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quick Playground WordPress plugin allows authenticated users with Administrator-level permissions to supply a filename parameter that is directly passed to file_get_contents() without validation. This results in path traversal, enabling attackers to read any file on the server, including sensitive configuration files such as wp-config.php or system files like /etc/passwd. The flaw does not provide a privilege escalation beyond the existing administrator rights but exposes confidential data that can be leveraged for further attacks.

Affected Systems

All installations of the Quick Playground plugin version 1.3.4 or earlier on WordPress sites are impacted. The vulnerability is exploitable only when the site has the WordPress Playground sync enabled (the is_qckply_clone option is set) or when the site is hosted on playground.wordpress.net. The affected product is the Quick Playground plugin for WordPress maintained by davidfcarr.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, and the EPSS score is not available, so the current probability of exploitation is uncertain. Because the flaw requires administrator access, the attack surface is limited to sites where an attacker can gain such privileges. The vulnerability is not listed in the CISA KEV catalog, suggesting no public exploit is known at this time. However, once an attacker obtains admin rights, file disclosure can lead to credential theft, code injection or further compromise.

Generated by OpenCVE AI on June 6, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Quick Playground plugin to the latest version that removes the unvalidated filename parameter.
  • If upgrading is not feasible, disable or delete the qckply_data functionality by clearing the is_qckply_clone option or deactivating the plugin entirely.
  • Apply strict file system permissions and ensure that the web server user does not have broader read access to sensitive files beyond what is required for normal operation.

Generated by OpenCVE AI on June 6, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Davidfcarr
Davidfcarr quick Playground
Wordpress
Wordpress wordpress
Vendors & Products Davidfcarr
Davidfcarr quick Playground
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.
Title Quick Playground <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Davidfcarr Quick Playground
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:43:31.617Z

Reserved: 2026-02-13T21:47:55.634Z

Link: CVE-2026-2500

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T04:17:29.533

Modified: 2026-06-06T04:17:29.533

Link: CVE-2026-2500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T04:30:12Z

Weaknesses