cbcvebase.
CVE-2026-1830
published 2026-04-09

CVE-2026-1830: The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.09%
86.1th percentile
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
davidfcarrquick_playground<= 1.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/quickplayground/v1/upload_image/{PROFILE}
filename../../../{random}.php
commandsystem($_GET["cmd"])
commandwp option update qckply_sync_code_default 'exploit123' --allow-root
otherqckply_sync_code_default
  • Monitor for unauthenticated POST requests to the REST API endpoint /wp-json/quickplayground/v1/upload_image/ — this is the upload vector used to deliver PHP webshells via path traversal.
  • Detect path traversal sequences (e.g., '../../../') in the 'filename' field of JSON payloads sent to the Quick Playground REST API upload endpoint.
  • Alert on PHP files appearing in the WordPress web root (outside of expected plugin/theme directories) following requests to the Quick Playground upload endpoint — these are dropped webshells.
  • Detect unauthenticated retrieval of the sync code via REST API endpoints on the Quick Playground plugin, which is a prerequisite step before the file upload attack.
  • Look for base64-encoded PHP webshell content in JSON POST bodies targeting the Quick Playground upload endpoint, specifically the 'base64' and 'sync_code' fields.
  • Flag GET requests to newly created .php files in the WordPress root directory with a 'cmd' query parameter, indicating webshell execution attempts post-upload.
  • ·The exploit requires a known or retrieved sync code ('sync_code' field in the JSON payload). The sync code is stored in the WordPress option 'qckply_sync_code_default' and can be fetched unauthenticated via the REST API before the upload step.
  • ·All versions up to and including 1.3.1 of the Quick Playground plugin are vulnerable; a patched version exists per vendor disclosure.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.