WP-Safety
CVE-2026-6403

Quick Playground <= 1.3.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter

highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
1.3.4
Patched in
1d
Time to patch

Description

The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3. This is due to insufficient path validation in the qckply_zip_theme() function, which appends a user-controlled 'stylesheet' parameter directly to the theme root directory path without sanitizing directory traversal sequences. This makes it possible for unauthenticated attackers to trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem — including wp-config.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.3.3
PublishedMay 14, 2026
Last updatedMay 15, 2026
Affected pluginquick-playground

What Changed in the Fix

Changes introduced in v1.3.4

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.3.3
Browse source Download .zip
Patched v1.3.4
Browse source Download .zip
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, payloads, or step-by-step guides for attacking specific software vulnerabilities, including those in WordPress plugins. You can search online for WordPress security best practices to learn a…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, payloads, or step-by-step guides for attacking specific software vulnerabilities, including those in WordPress plugins. You can search online for WordPress security best practices to learn about identifying and remediating vulnerabilities like path traversal.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Quick Playground plugin for WordPress is vulnerable to unauthenticated path traversal because its theme-zipping functionality fails to sanitize user-provided directory paths and lacks authorization checks. Attackers can exploit this to include sensitive files, such as 'wp-config.php', into a ZIP archive created on the server and subsequently retrieve them.

Vulnerable Code

// utility.php @ 1.3.3

/**
 * Zips a specific theme.
 *
 * @param string $stylesheet The theme stylesheet/slug.
 * @return string Success or failure message.
 */
function qckply_zip_theme($stylesheet) {
    $qckply_directories = qckply_get_directories();
    $qckply_uploads = $qckply_directories['uploads'];
    $source_directory = get_theme_root() . '/' . $stylesheet; //  Get theme path

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/quick-playground/1.3.3/utility.php /home/deploy/wp-safety.org/data/plugin-versions/quick-playground/1.3.4/utility.php
--- /home/deploy/wp-safety.org/data/plugin-versions/quick-playground/1.3.3/utility.php	2026-04-24 00:35:00.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/quick-playground/1.3.4/utility.php	2026-05-05 12:07:02.000000000 +0000
@@ -223,6 +223,9 @@
  * @return string Success or failure message.
  */
 function qckply_zip_current_theme() {
+    if(!current_user_can('manage_options')) {
+        return;
+    }
     $qckply_directories = qckply_get_directories();
     $qckply_uploads = $qckply_directories['uploads'];
     $source_directory = get_theme_root() . '/' . get_stylesheet(); //  Get theme path
@@ -240,6 +243,9 @@
  * @return string Success or failure message.
  */
 function qckply_zip_theme($stylesheet) {
+    if(!current_user_can('manage_options')) {
+        return;
+    }
     $qckply_directories = qckply_get_directories();
     $qckply_uploads = $qckply_directories['uploads'];
     $source_directory = get_theme_root() . '/' . $stylesheet; //  Get theme path
@@ -257,6 +263,9 @@
  * @return string|bool Success message or false on failure.
  */
 function qckply_zip_plugin($slug) {
+    if(!current_user_can('manage_options')) {
+        return;
+    }
     $qckply_directories = qckply_get_directories();
     $qckply_uploads = $qckply_directories['uploads'];
     $source_directory = trailingslashit(dirname(plugin_dir_path(__FILE__))) .$slug; //  Get plugin path

Exploit Outline

The attacker targets an endpoint or action that invokes the qckply_zip_theme() function. By supplying a 'stylesheet' parameter containing directory traversal sequences (e.g., '../'), the attacker manipulates the $source_directory variable to point outside of the intended theme directory. This causes the plugin to compress arbitrary files from the server's filesystem into a ZIP archive. Since the function lacks authentication and authorization checks in vulnerable versions, an unauthenticated user can trigger the creation and potential exposure of this archive containing sensitive data like database credentials from wp-config.php.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a39dccb6-b635-44af-b0e0-c3010b719773?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database