CVE-2026-1830

Critical

Published: 09 April 2026

Published

09 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file…

uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, directly mitigating the insufficient authorization checks on REST API endpoints that expose sync codes.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes inputs to REST API endpoints, preventing path traversal and arbitrary PHP file uploads leading to RCE.

SI-2 Flaw Remediation good match

prevent

Identifies, reports, and remediates flaws like the vulnerable code in api.php and expro-api.php of Quick Playground plugin versions up to 1.3.1.

Security SummaryAI

CVE-2026-1830, published on 2026-04-09, is a critical remote code execution vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) linked to CWE-862 (Missing Authorization). It affects the Quick Playground plugin for WordPress in all versions up to and including 1.3.1. The flaw stems from insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By first retrieving the exposed sync code, they can upload malicious PHP files via path traversal, achieving remote code execution on the server.

Advisories referenced in the WordPress plugins trac repository identify vulnerable code at api.php line 39 and expro-api.php line 419, with changeset 3500839 documenting changes to the Quick Playground plugin. Wordfence threat intelligence (vulnerability ID 308cd28a-a477-4bc6-a392-ad5a9eca1cb5) provides additional details on the issue.

Details

CWE(s): CWE-862

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via exploitation of a public-facing WordPress plugin's REST API endpoints with missing authorization, enabling arbitrary PHP file uploads through path traversal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39
security@wordfence.com
https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail=
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve
security@wordfence.com