Description
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3. This is due to insufficient path validation in the qckply_zip_theme() function, which appends a user-controlled 'stylesheet' parameter directly to the theme root directory path without sanitizing directory traversal sequences. This makes it possible for unauthenticated attackers to trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem — including wp-config.
Published: 2026-05-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quick Playground WordPress plugin fails to validate the user-supplied "stylesheet" parameter in the qckply_zip_theme() function. The absence of sanitization allows a crafted value to be appended to the theme root path and included in a dynamically generated ZIP archive. An unauthenticated attacker can request this API endpoint with an attacker-specified "stylesheet" value, causing the plugin to create a ZIP package that may contain any file on the server, including sensitive configuration files such as wp-config.

Affected Systems

WordPress sites that have the Quick Playground plugin by davidfcarr installed with any release up to and including version 1.3.3 are affected. The vulnerability is isolated to this plugin and applies only to those instances that have not been updated beyond the mentioned version threshold.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating high severity. No EPSS score is publicly available and the issue is not listed in the CISA KEV catalog. Because the attack vector requires only an unauthenticated HTTP request to the plugin's API endpoint and no additional prerequisites, exploitation is straightforward and currently possible.

Generated by OpenCVE AI on May 15, 2026 at 11:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Quick Playground repository for an updated release that removes the unsanitized "stylesheet" handling and upgrade the plugin immediately.
  • If a fixed version is not available or an upgrade cannot be performed, deactivate or uninstall the Quick Playground plugin to eliminate the attack surface.
  • Configure your web server (e.g., .htaccess or Nginx rules) to deny unauthenticated access to the plugin’s api.php endpoint to mitigate potential exploitation while remediation is pending.

Generated by OpenCVE AI on May 15, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Davidfcarr
Davidfcarr quick Playground
Wordpress
Wordpress wordpress
Vendors & Products Davidfcarr
Davidfcarr quick Playground
Wordpress
Wordpress wordpress

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3. This is due to insufficient path validation in the qckply_zip_theme() function, which appends a user-controlled 'stylesheet' parameter directly to the theme root directory path without sanitizing directory traversal sequences. This makes it possible for unauthenticated attackers to trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem — including wp-config.
Title Quick Playground <= 1.3.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Davidfcarr Quick Playground
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-15T13:26:51.114Z

Reserved: 2026-04-15T20:36:14.670Z

Link: CVE-2026-6403

cve-icon Vulnrichment

Updated: 2026-05-15T13:26:46.490Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T09:16:16.973

Modified: 2026-05-15T14:09:15.910

Link: CVE-2026-6403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:30:43Z

Weaknesses