What is the CVSS score of CVE-2026-1830?

CVE-2026-1830 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of PHP are affected by CVE-2026-1830?

The Quick Playground WordPress plugin (versions ≤1.3.1) contains a critical remote code execution vulnerability that allows unauthenticated attackers to completely compromise affected web servers…

Is there a public PoC exploit available for CVE-2026-1830?

Yes, a public proof-of-concept exploit is available for CVE-2026-1830. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-1830?

Within 24 hours: Disable or immediately remove the Quick Playground plugin from all WordPress installations; if removal is not possible, restrict network access to the affected WordPress site using WAF rules or IP allowlisting. Within 7 days: Conduct forensic analysis of server logs and file systems for indicators of compromise dating back to plugin installation; rotate all server credentials, database passwords, and API keys. Within 30 days: Identify and deploy a maintained alternative plugin or custom solution for required Quick Playground functionality; implement application-level access controls on all REST API endpoints and enforce authentication on file upload operations.

PHP CVE-2026-1830

EUVD-2026-20843 CRITICAL

Missing Authorization (CWE-862)

2026-04-09 Wordfence

GHSA-8jp3-8878-6q85

WordPress PHP RCE Path Traversal Authentication Bypass

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 18:07 vuln.today

cvss_changed

EUVD ID Assigned

Apr 09, 2026 - 04:30 euvd

EUVD-2026-20843

Analysis Generated

Apr 09, 2026 - 04:30 vuln.today

CVE Published

Apr 09, 2026 - 03:25 nvd

CRITICAL 9.8

DescriptionCVE.org

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

AnalysisAI

Remote code execution in Quick Playground plugin for WordPress (all versions through 1.3.1) allows unauthenticated attackers to execute arbitrary PHP code on the server. Vulnerability stems from insufficient authorization on REST API endpoints that expose a sync code and permit unrestricted file uploads. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access unprotected REST API endpoint

Exploit

Retrieve sync code without authentication

Execution

Upload PHP file with path traversal

Impact

Execute arbitrary code on server

Access

Access unprotected REST API endpoint

Exploit

Retrieve sync code without authentication

Execution

Upload PHP file with path traversal

Impact

Execute arbitrary code on server

Vulnerability AssessmentAI

Exploitation	Quick Playground plugin for WordPress versions up to 1.3.1 must be installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Critical unauthenticated RCE via REST API authorization bypass affecting all Quick Playground versions through 1.3.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker sends unauthenticated REST request to vulnerable endpoint to retrieve sync code, then uploads PHP webshell via path traversal in file upload parameter, achieving remote code execution. Wordfence report confirms vulnerability details in plugin source code.
Remediation	Vendor-released patch: version 1.3.2 addresses authorization bypass and file upload vulnerabilities per changeset 3500839. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or immediately remove the Quick Playground plugin from all WordPress installations; if removal is not possible, restrict network access to the affected WordPress site using WAF rules or IP allowlisting. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-1830 vulnerability details – vuln.today

Back

PHP CVE-2026-1830

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code