Quick Playground <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter
CVE-2026-2500

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Quick Playground
Vendor: CVE Published:; 6 June 2026

What is CVE-2026-2500?

The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the qckply_data() function passing the user-supplied filename POST parameter directly to file_get_contents() without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as wp-config.php or /etc/passwd, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the is_qckply_clone option is set) or when running on playground.wordpress.net.

Affected Version(s)

Quick Playground 0 <= 1.3.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/quick-playgrou...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2026
Vulnerability Reserved
Feb 13, 2026

Credit

Pablo Santiago

CVE-2026-2500 Data

JSON