CVE-2026-1830
Published: 09 April 2026
Summary
CVE-2026-1830 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The Quick Playground plugin for WordPress is vulnerable to remote code execution in all versions through 1.3.1. The flaw stems from missing authorization checks on REST API endpoints that expose a synchronization code and permit arbitrary file uploads, enabling path traversal when writing PHP files to the server. The issue is tracked as CVE-2026-1830 with a CVSS 3.1 score of 9.8 and is classified under CWE-862.
Unauthenticated attackers reachable over the network can retrieve the exposed sync code, upload malicious PHP files, and execute arbitrary code on the underlying server, resulting in full confidentiality, integrity, and availability impact.
Public references point to the plugin's api.php and expro-api.php source files along with a WordPress changeset that addresses the endpoints; the Wordfence advisory entry for this CVE recommends applying the available plugin update to close the authorization gaps.
EPSS remains flat at a low 0.0115 with no indicated rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20843
Vulnerability details
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file…
more
uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via exploitation of a public-facing WordPress plugin's REST API endpoints with missing authorization, enabling arbitrary PHP file uploads through path traversal.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the exposed REST API endpoints that currently allow unauthenticated retrieval of the sync code and arbitrary file uploads.
Ensures the plugin's sync and upload functions are restricted to the minimum privileges required, eliminating the unauthenticated access path used for RCE.
Requires prompt application of the vendor patch that closes the missing authorization gaps in api.php and expro-api.php.