[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$furGF_vWG5rNG-2g8tPTG_f38BdzXL3G-YDiO73C7ehc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-6403","quick-playground-unauthenticated-path-traversal-to-arbitrary-file-read-via-stylesheet-parameter","Quick Playground \u003C= 1.3.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter","The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3. This is due to insufficient path validation in the qckply_zip_theme() function, which appends a user-controlled 'stylesheet' parameter directly to the theme root directory path without sanitizing directory traversal sequences. This makes it possible for unauthenticated attackers to trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem — including wp-config.","quick-playground",null,"\u003C=1.3.3","1.3.4","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-05-14 19:01:30","2026-05-15 07:46:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa39dccb6-b635-44af-b0e0-c3010b719773?source=api-prod",1,[22,23,24],"quick-playground.php","readme.txt","utility.php","researched",false,3,"Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, payloads, or step-by-step guides for attacking specific software vulnerabilities, including those in WordPress plugins. You can search online for WordPress security best practices to learn about identifying and remediating vulnerabilities like path traversal.","The Quick Playground plugin for WordPress is vulnerable to unauthenticated path traversal because its theme-zipping functionality fails to sanitize user-provided directory paths and lacks authorization checks. Attackers can exploit this to include sensitive files, such as 'wp-config.php', into a ZIP archive created on the server and subsequently retrieve them.","\u002F\u002F utility.php @ 1.3.3\n\n\u002F**\n * Zips a specific theme.\n *\n * @param string $stylesheet The theme stylesheet\u002Fslug.\n * @return string Success or failure message.\n *\u002F\nfunction qckply_zip_theme($stylesheet) {\n    $qckply_directories = qckply_get_directories();\n    $qckply_uploads = $qckply_directories['uploads'];\n    $source_directory = get_theme_root() . '\u002F' . $stylesheet; \u002F\u002F  Get theme path","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.3\u002Futility.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.4\u002Futility.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.3\u002Futility.php\t2026-04-24 00:35:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fquick-playground\u002F1.3.4\u002Futility.php\t2026-05-05 12:07:02.000000000 +0000\n@@ -223,6 +223,9 @@\n  * @return string Success or failure message.\n  *\u002F\n function qckply_zip_current_theme() {\n+    if(!current_user_can('manage_options')) {\n+        return;\n+    }\n     $qckply_directories = qckply_get_directories();\n     $qckply_uploads = $qckply_directories['uploads'];\n     $source_directory = get_theme_root() . '\u002F' . get_stylesheet(); \u002F\u002F  Get theme path\n@@ -240,6 +243,9 @@\n  * @return string Success or failure message.\n  *\u002F\n function qckply_zip_theme($stylesheet) {\n+    if(!current_user_can('manage_options')) {\n+        return;\n+    }\n     $qckply_directories = qckply_get_directories();\n     $qckply_uploads = $qckply_directories['uploads'];\n     $source_directory = get_theme_root() . '\u002F' . $stylesheet; \u002F\u002F  Get theme path\n@@ -257,6 +263,9 @@\n  * @return string|bool Success message or false on failure.\n  *\u002F\n function qckply_zip_plugin($slug) {\n+    if(!current_user_can('manage_options')) {\n+        return;\n+    }\n     $qckply_directories = qckply_get_directories();\n     $qckply_uploads = $qckply_directories['uploads'];\n     $source_directory = trailingslashit(dirname(plugin_dir_path(__FILE__))) .$slug; \u002F\u002F  Get plugin path","The attacker targets an endpoint or action that invokes the qckply_zip_theme() function. By supplying a 'stylesheet' parameter containing directory traversal sequences (e.g., '..\u002F'), the attacker manipulates the $source_directory variable to point outside of the intended theme directory. This causes the plugin to compress arbitrary files from the server's filesystem into a ZIP archive. Since the function lacks authentication and authorization checks in vulnerable versions, an unauthenticated user can trigger the creation and potential exposure of this archive containing sensitive data like database credentials from wp-config.php.","gemini-3-flash-preview","2026-05-20 17:40:52","2026-05-20 17:41:54",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquick-playground\u002Ftags\u002F1.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquick-playground\u002Ftags\u002F1.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-playground.1.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquick-playground\u002Ftags"]