Ctrl + K
/ news / CVE
CVEPublished 2026-06-06Modified 2026-06-080 articles on news5 live referencesNVD data

CVE-2026-2500

Vulnerability data via NVD (ingested)

CVSS v3.1
4.4
MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS percentile
14
Exploit Prediction Scoring System · top 86% of all CVEs
Weaknesses (CWE)
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description

The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.

Timeline
Published 2026-06-06
Modified 2026-06-08

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-2500
Hosts Shodan has explicitly fingerprinted as vulnerable.
More intel sources (5)
Shodan report
vuln:CVE-2026-2500
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-2500
Censys host search filtered to this CVE id.
grep.app
CVE-2026-2500
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-2500
GitHub code search for direct mentions.
Google dork
"CVE-2026-2500" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (6)

CVE-2026-25006 repos
vxcontrol/pentagiGo
Fully autonomous AI Agents system capable of performing complex penetration testing tasks
★ 17,586·updated 1w ago
ByCh4n/BCHackToolShell
🔥 Professional Penetration Testing Framework v4.0 - Automated subdomain enumeration, vulnerability scanning with Nuclei, port scanning, and comprehensive HTML reports. Features pa…
★ 529·updated 5mo ago
sderosiaux/every-single-day-i-tldrunknown
A daily digest of the articles or videos I've found interesting, that I want to share with you.
★ 330·updated 2d ago
11notes/docker-pocket-idDockerfile
Run pocket-id rootless and distroless.
★ 73·updated 1w ago
jerrylususu/bookmark-collectionPython
What I have read, am reading or will read.
★ 31·updated today
Thesirix/ThesirixPython
My profil Fullstack (Python, React, JS, Html, Css ,Php, Laravel, Flutter, Express, Django). webdesign front-end back-end database adobe api
★ 23·updated today
We haven't classified any articles referencing CVE-2026-2500 yet. The external references above still apply.