A critical vulnerability within the WPvivid Backup & Migration WordPress plugin has exposed approximately 800,000 websites to high-risk remote code execution (RCE) attacks. This severe security flaw, identified as CVE-2026-1357 and rated with a CVSS score of 9.8 (Critical), allows unauthenticated attackers to upload arbitrary files and execute commands directly on the server. The issue, detailed by Wordfence researchers, impacts plugin versions up to and including 0.9.123, with a patch now available in version 0.9.124.
The most significant danger arises when the WPvivid plugin’s “receive a backup from another site” feature is activated. This feature, disabled by default, requires administrators to generate a specific key, which has a maximum lifespan of 24 hours. Attackers can exploit this window by targeting the backup-receiving endpoint, specifically leveraging the wpvivid_action=send_to_site parameter to initiate malicious file uploads. This vulnerability opens a pathway for potentially complete website takeover.
Understanding the WPvivid Backup Plugin Vulnerability
Researchers pinpointed the root cause of the vulnerability as a combination of errors in cryptographic handling and insecure file path management. Specifically, when the plugin encounters an RSA decryption failure during message processing, it can erroneously proceed with a null key. This predictable key then allows attackers to craft malicious data that the server incorrectly accepts.
Furthermore, the plugin failed to adequately sanitize filenames received from the decrypted payload. This oversight enabled directory traversal, allowing attackers to place uploaded files outside their intended backup directories and into web-accessible locations. Such files could then be executed, leading to remote code execution on the compromised server. The exploit chain is particularly potent due to these combined weaknesses.
The WPvivid development team addressed the vulnerability in version 0.9.124. Their fix involves ceasing any further processing if the decrypted key is empty or invalid. Additionally, they have implemented stricter controls to ensure that uploaded files are restricted to expected backup extensions, such as zip, gz, tar, and sql. This two-pronged approach significantly reduces the attack surface.
| Field | Details |
|---|---|
| Vulnerability | Unauthenticated arbitrary file upload → RCE |
| CVE / CVSS | CVE-2026-1357 / 9.8 (Critical) |
| Affected versions | ≤ 0.9.123 |
| Patched version | 0.9.124 |
| Exploit condition | Receive-backup generated key enabled; max 24h expiry |
| Key attack surface | wpvivid_action=send_to_site upload path |
| Root cause | RSA decrypt failure not stopping + path traversal/unsanitized names |
Mitigation and Future Steps
Website administrators using the WPvivid Backup & Migration plugin are strongly urged to update to the latest version, 0.9.124, immediately. Beyond updating, security best practices dictate disabling the “receive backup” feature and its associated keys whenever they are not actively in use. If keys have been previously generated, rotating them is recommended to further minimize exposure.
Additionally, website owners should conduct a thorough review of their web root directories for any unexpected PHP files that may have been created during the period when the “receive backup” feature was enabled. Vigilance in monitoring website files and backups can help detect and remediate any unauthorized activity. The cybersecurity community will continue to monitor for any exploitation attempts related to this critical WPvivid backup plugin vulnerability.