Critical RCE Vulnerabilities in WordPress Plugins Exposed

Severity: High (Score: 72.0)

Sources: Medium, Sentinelone, www.wordfence.com

Summary

Two critical vulnerabilities affecting WordPress plugins have been reported. CVE-2023-6553 targets the Backup Migration plugin (versions ≤1.3.7), allowing unauthenticated remote code execution through a Local File Inclusion flaw. The CVSS score for this vulnerability is 9.8, indicating its severity. The second vulnerability, CVE-2026-1830, affects the Quick Playground plugin (versions ≤1.3.1), enabling unauthenticated attackers to exploit insufficient authorization checks on REST API endpoints, leading to arbitrary file uploads and remote code execution. Both vulnerabilities pose significant risks, including full site takeover and data exfiltration. Security patches have been released for both plugins, urging users to update immediately. The vulnerabilities highlight the importance of proper input validation and access controls in plugin development. Key Points: • CVE-2023-6553 allows RCE via LFI in Backup Migration plugin (CVSS 9.8). • CVE-2026-1830 enables RCE through unauthorized REST API access in Quick Playground plugin. • Immediate updates are recommended to mitigate these critical vulnerabilities.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2026-1830 (cve)
• T1505.003 - Web Shell (mitre_attack)
• PHP (platform)
• WordPress (platform)
• Burp Suite (tool)