CVE-2026-1830

CriticalUpdated

Published: 09 April 2026

Published

09 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1830 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, directly mitigating the insufficient authorization checks on REST API endpoints that expose sync codes.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes inputs to REST API endpoints, preventing path traversal and arbitrary PHP file uploads leading to RCE.

SI-2 Flaw Remediation good match

prevent

Identifies, reports, and remediates flaws like the vulnerable code in api.php and expro-api.php of Quick Playground plugin versions up to 1.3.1.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via exploitation of a public-facing WordPress plugin's REST API endpoints with missing authorization, enabling arbitrary PHP file uploads through path traversal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file…

uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

Deeper analysisAI

CVE-2026-1830, published on 2026-04-09, is a critical remote code execution vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) linked to CWE-862 (Missing Authorization). It affects the Quick Playground plugin for WordPress in all versions up to and including 1.3.1. The flaw stems from insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By first retrieving the exposed sync code, they can upload malicious PHP files via path traversal, achieving remote code execution on the server.

Advisories referenced in the WordPress plugins trac repository identify vulnerable code at api.php line 39 and expro-api.php line 419, with changeset 3500839 documenting changes to the Quick Playground plugin. Wordfence threat intelligence (vulnerability ID 308cd28a-a477-4bc6-a392-ad5a9eca1cb5) provides additional details on the issue.