CVE-2026-1830: Unauthenticated RCE in Quick Playground WordPress Plugin
CVE-2026-1830 is an unauthenticated remote code execution vulnerability in the Quick Playground plugin for WordPress. The flaw stems from insufficient authorization checks on REST API endpoints that allow arbitrary file uploads.
Vulnerability Summary
CVE-2026-1830 is a remote code execution vulnerability in the Quick Playground plugin for WordPress. The vulnerability affects all versions up to and including 1.3.1 and was patched in version 1.3.2.
CVSS Score: 9.1 (Critical)
Authentication Required: None
Attack Vector: REST API endpoint
Technical Details
The Quick Playground plugin exposes REST API endpoints that are intended for syncing code between environments. These endpoints did not implement proper authentication or authorization checks, meaning any HTTP client could interact with them without providing any credentials.
The vulnerable endpoints accepted arbitrary file uploads. By crafting a request that uploads a PHP file to a web-accessible directory, an unauthenticated attacker can achieve remote code execution. The file, once uploaded, can be directly accessed through the browser to execute arbitrary PHP commands on the server.
Who Is at Risk
Any WordPress site with Quick Playground version 1.3.1 or earlier installed and active is at risk. Even sites where the plugin is installed but deactivated may be partially at risk if the plugin files remain on disk and the REST API endpoint registration persists from a previous activation.
What to Do
Update to Quick Playground version 1.3.2 immediately. If you installed the plugin for testing purposes and no longer need it, delete it entirely. Check your site for unexpected PHP files in your uploads directory and other web-accessible locations as a precaution. If you find unexpected files, treat your site as potentially compromised and follow your incident response procedure.
REST API Security in WordPress
This vulnerability is an example of a common pattern in WordPress plugin security failures: REST API endpoints that expose powerful functionality without proper authentication. WordPress provides a nonces and permissions system specifically for securing REST API endpoints, but plugins must implement these controls correctly. Always keep plugins that expose REST API functionality updated to the latest version.
