CVE-2026-2500

The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the qckply data() function passing the user-supplied filename POST parameter directly to file get contents() without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as wp-config.php or /etc/passwd, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the is qckply clone option is set) or when running on playground.wordpress.net.