Cyber Resilience

CVE-2026-1830

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0309 86.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1830 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The Quick Playground plugin for WordPress is vulnerable to remote code execution in all versions through 1.3.1. The flaw stems from missing authorization checks on REST API endpoints that expose a synchronization code and permit arbitrary file uploads, enabling path traversal when writing PHP files to the server. The issue is tracked as CVE-2026-1830 with a CVSS 3.1 score of 9.8 and is classified under CWE-862.

Unauthenticated attackers reachable over the network can retrieve the exposed sync code, upload malicious PHP files, and execute arbitrary code on the underlying server, resulting in full confidentiality, integrity, and availability impact.

Public references point to the plugin's api.php and expro-api.php source files along with a WordPress changeset that addresses the endpoints; the Wordfence advisory entry for this CVE recommends applying the available plugin update to close the authorization gaps.

EPSS remains flat at a low 0.0115 with no indicated rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file…

more

uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote code execution via exploitation of a public-facing WordPress plugin's REST API endpoints with missing authorization, enabling arbitrary PHP file uploads through path traversal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the exposed REST API endpoints that currently allow unauthenticated retrieval of the sync code and arbitrary file uploads.

prevent

Ensures the plugin's sync and upload functions are restricted to the minimum privileges required, eliminating the unauthenticated access path used for RCE.

prevent

Requires prompt application of the vendor patch that closes the missing authorization gaps in api.php and expro-api.php.

References