CVE-2026-2500
MediumCVSS 4.4Summary
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.3.4. The `qckply_data()` function passes the user-supplied `filename` POST parameter directly to `file_get_contents()` without validation, allowing authenticated attackers with Administrator-level access to read arbitrary files on the server.
Risk Assessment
Attackers can access sensitive information, such as the `wp-config.php` file or `/etc/passwd`, posing a serious threat to the organization's data security.
Recommendation
It is recommended to update the plugin to the latest version and implement additional security measures, such as restricting access to configuration files.
Original NVD description (English source)
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.

