Vulnerability in WordPress Backup Plugin Leaves 800,000 Sites Open to Remote Code Execution Exploits

A critical vulnerability in the WPvivid Backup & Migration WordPress plugin allows unauthenticated attackers to upload files and execute code on the server, potentially leading to full site takeover. This issue, tracked as CVE-2026-1357, has been assigned a severity score of 9.8 (Critical) and affects all plugin versions up to and including 0.9.123. A fix is available in version 0.9.124. The most significant risk arises when the “receive a backup from another site” feature is enabled, which requires generating a key in the plugin settings. This feature is disabled by default, and the generated key expires within 24 hours. Attackers can exploit the backup-receiving endpoint by triggering the upload path associated with the wpvivid_action=send_to_site parameter.

Wordfence researchers identified that the vulnerability stems from a combination of a crypto error-handling mistake and unsafe file-path handling, enabling arbitrary PHP uploads and remote code execution. When RSA decryption fails, the code may continue processing with a false value, resulting in a predictable “all null bytes” key in the AES/Rijndael routine. Additionally, the plugin accepts filenames from the decrypted payload without proper sanitisation, allowing for directory traversal and the potential for files to escape the intended backup directory. WPvivid addressed this issue in version 0.9.124 by halting processing when the decrypted key is empty or false and by restricting uploads to expected backup file extensions. Administrators are advised to update to version 0.9.124, disable the receive-backup key when unnecessary, rotate any generated keys, and review the web root for unexpected PHP files created during the key’s active period. Categories: WordPress Plugin Vulnerability, Remote Code Execution, Security Patch Tags: WPvivid, Backup, Migration, Vulnerability, Unauthenticated, File Upload, Remote Code Execution, CVE-2026-1357, Path Traversal, Patch