CVE-2026-1830CRITICAL 9.8EPSS p80.9%

CVE-2026-1830CVE-2026-1830

Description

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.29% probability of exploitation · percentile 80.9% · 2026-06-19T12:03:05Z
Published2026-04-09
Last modified2026-04-24

Underlying weaknesses· 1

CWE-862

References

  1. https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39
  2. https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419
  3. https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail=
  4. https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2500
CVE
WordPress File Manager Plugin Remote Code Execution Vulnerability
CVE
CVE-2025-12673
CVE
CVE-2017-20251
CVE
CVE-2026-1560
CVE
CVE-2025-12057
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.