Home

Description

The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3. This is due to insufficient path validation in the qckply_zip_theme() function, which appends a user-controlled 'stylesheet' parameter directly to the theme root directory path without sanitizing directory traversal sequences. This makes it possible for unauthenticated attackers to trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem — including wp-config.

PUBLISHED Reserved 2026-04-15 | Published 2026-05-15 | Updated 2026-05-15 | Assigner Wordfence




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version
affected

Timeline

2026-04-15:Vendor Notified
2026-05-14:Disclosed

Credits

Athiwat Tiprasaharn finder

Itthidej Aramsri finder

References

www.wordfence.com/...-b635-44af-b0e0-c3010b719773?source=cve

plugins.trac.wordpress.org/...k-playground/trunk/utility.php

plugins.trac.wordpress.org/...yground/tags/1.3.1/utility.php

plugins.trac.wordpress.org/...quick-playground/trunk/api.php

plugins.trac.wordpress.org/...-playground/tags/1.3.1/api.php

plugins.trac.wordpress.org/...k-playground/trunk/utility.php

plugins.trac.wordpress.org/...yground/tags/1.3.1/utility.php

plugins.trac.wordpress.org/...quick-playground/trunk/api.php

plugins.trac.wordpress.org/...-playground/tags/1.3.1/api.php

plugins.trac.wordpress.org/...ayground&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/...ayground&sfp_email=&sfph_mail=

cve.org (CVE-2026-6403)

nvd.nist.gov (CVE-2026-6403)

Download JSON