CVE-2026-2500
MEDIUM
NVD
CVSS Score
4.4
Severity
MEDIUM
Published
Jun 06, 2026
Vendor
unknown
Description
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.
References
- https://plugins.trac.wordpress.org/browser/quick-playground/tags/1.2/client-qckply_data.php#L10
- https://plugins.trac.wordpress.org/browser/quick-playground/trunk/client-qckply_data.php#L10
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3558027%40quick-playground&new=3558027%40quick-playground&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a920d8c0-fb6b-40dc-ae61-ac004b0dfccd?source=cve