CVE-2026-1830
Remote Code Execution in Quick Playground WordPress Plugin
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quick_playground | plugin | to 1.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Quick Playground plugin for WordPress has a vulnerability that allows remote code execution. This happens because the plugin does not properly check authorization on its REST API endpoints. These endpoints expose a sync code and permit arbitrary file uploads. An attacker who is not authenticated can obtain the sync code, upload malicious PHP files using path traversal techniques, and execute code remotely on the server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code on your server without any authentication. This can lead to full compromise of the server, including data theft, data loss, defacement, or using the server as a launch point for further attacks.