Quick Playground WordPress Plugin Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the Quick Playground WordPress plugin, affecting all versions through 1.3.1. The issue arises from inadequate authorization checks on REST API endpoints, which expose a synchronization code and permit arbitrary file uploads. This vulnerability allows unauthenticated attackers to access the synchronization code, upload PHP files using path traversal techniques, and execute remote code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'quickplayground/v1/authorize_sync/{profile}' endpoint, without a valid synchronization code. This request can be made from any origin, as the plugin does not properly validate the 'Authorization' header or the 'Referer' header. Once the synchronization is authorized, the 'quickplayground/v1/upload_image/{profile}' endpoint can be used to upload a PHP file disguised as an image, leveraging the same lack of authorization and the ability to traverse directories.

Remediation

Users are advised to update the Quick Playground WordPress plugin to version 1.3.2 or later.