WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks
A critical flaw in the WPvivid Backup & Migration WordPress plugin can let an unauthenticated attacker upload files and run code on the server, a path that often ends in full site takeover.
The issue is tracked as CVE-2026-1357, scored 9.8 (Critical), and affects plugin versions up to and including 0.9.123, with a fix available in 0.9.124.
The most serious risk applies only when a site has enabled WPvivid’s “receive a backup from another site” feature by generating a key in the plugin settings, since the feature is disabled by default and the key can expire in at most 24 hours.
In the vulnerable flow, attackers can target the backup-receiving endpoint and trigger the upload path associated with the wpvivid_action=send_to_site parameter.
Wordfence researchers noted that the weakness comes from a crypto error-handling mistake combined with unsafe file-path handling, which together make arbitrary PHP upload and remote code execution feasible.
How the upload works
When RSA decryption fails during message processing, the code can continue with a false value that effectively becomes a predictable “all null bytes” key in the AES/Rijndael routine, allowing attackers to craft data the server will accept.
The plugin also accepted filenames from the decrypted payload without proper sanitization, enabling directory traversal so a file could escape the intended backup directory and land in a web-accessible location.
WPvivid fixed the issue in 0.9.124 by stopping processing when the decrypted key is empty/false and by restricting uploads to expected backup extensions (such as zip/gz/tar/sql).
| Field | Details |
|---|---|
| Vulnerability | Unauthenticated arbitrary file upload → RCE |
| CVE/ CVSS | CVE-2026-1357/ 9.8 (Critical) |
| Affected versions | ≤ 0.9.123 |
| Patched version | 0.9.124 |
| Exploit condition | Receive-backup generated key enabled; max 24h expiry |
| Key attack surface | wpvivid_action=send_to_site upload path |
| Root cause | RSA decrypt failure not stopping + path traversal/unsanitized names |
Administrators should update to 0.9.124, disable the receive-backup key when not needed, rotate any generated keys, and review the web root for unexpected PHP files created around the enabled-key window.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks appeared first on Cyber Security News.
>>More