A critical Remote Code Execution vulnerability in the Quick Playground WordPress plugin allows unauthenticated attackers to gain full server control.

The plugin lacks proper authorization checks on REST API endpoints, allowing unauthenticated attackers to retrieve sync codes and perform arbitrary file uploads via path traversal, resulting in Remote Code Execution.

This vulnerability provides an attacker with the ability to execute arbitrary PHP code on the server. This leads to full site takeover, data exfiltration, and the potential for the server to be used as a botnet node, justifying the 9.8 CVSS score.

Immediate Action: Update the Quick Playground plugin to the latest version immediately. If no update is available, deactivate and remove the plugin.

Proactive Monitoring: Scan the server for unauthorized files, particularly in the uploads directory, and monitor access logs for suspicious REST API requests.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests containing path traversal patterns or suspicious file upload attempts to REST API endpoints.

Public Exploit Available: No

Plugin vulnerabilities of this nature are frequently targeted. Administrators must ensure the plugin is updated or removed immediately to mitigate the risk of full server compromise.