EUVD-2026-20843
GHSA-8jp3-8878-6q85
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
Analysis
Remote code execution in Quick Playground plugin for WordPress (all versions through 1.3.1) allows unauthenticated attackers to execute arbitrary PHP code on the server. Vulnerability stems from insufficient authorization on REST API endpoints that expose a sync code and permit unrestricted file uploads. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable or immediately remove the Quick Playground plugin from all WordPress installations; if removal is not possible, restrict network access to the affected WordPress site using WAF rules or IP allowlisting. Within 7 days: Conduct forensic analysis of server logs and file systems for indicators of compromise dating back to plugin installation; rotate all server credentials, database passwords, and API keys. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today