CVE-2026-2500
published 2026-06-06CVE-2026-2500: The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()`…
PriorityP424medium4.4CVSS 3.1
AVNACHPRHUINSUCHINAN
EPSS
0.32%
23.2th percentile
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davidfcarr | quick_playground | <= 1.3.4 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
davidfcarr Quick Playground Plugin up to 1.3.4 on WordPress POST Parameter wp-config.php qckply_data filename path traversal (EUVD-2026-34953)
vuldb·2026-06-06·CVSS 4.4
CVE-2026-2500 [MEDIUM] davidfcarr Quick Playground Plugin up to 1.3.4 on WordPress POST Parameter wp-config.php qckply_data filename path traversal (EUVD-2026-34953)
A vulnerability labeled as critical has been found in davidfcarr Quick Playground Plugin up to 1.3.4 on WordPress. Impacted is the function qckply_data of the file wp-config.php of the component POST Parameter Handler. Executing a manipulation of the argument filename can lead to path traversal.
This vulnerability is tracked as CVE-2026-2500. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
GHSA
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4.
ghsa_unreviewed·2026-06-06
CVE-2026-2500 [MEDIUM] CWE-22 The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4.
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/quick-playground/tags/1.2/client-qckply_data.php#L10https://plugins.trac.wordpress.org/browser/quick-playground/trunk/client-qckply_data.php#L10https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3558027%40quick-playground&new=3558027%40quick-playground&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/a920d8c0-fb6b-40dc-ae61-ac004b0dfccd?source=cve
2026-06-06
Published