A critical vulnerability in the popular WPvivid Backup & Migration plugin is putting more than 800,000 WordPress websites at risk of complete takeover through remote code execution (RCE) attacks.
Tracked as CVE-2026-1357 and rated 9.8 on the CVSS scale, the vulnerability allows unauthenticated attackers to upload arbitrary files to vulnerable sites and execute malicious PHP code.
The issue affects WPvivid Backup versions up to and including 0.9.123 and stems from improper error handling in the plugin’s RSA decryption process combined with missing file path sanitization.
When the plugin attempts to decrypt a session key and fails, it does not stop execution, instead passing a false value into the AES cipher initialization routine.
The crypto library interprets this false value as a string of null bytes, enabling attackers to encrypt payloads using a predictable null-byte key.
At the same time, filenames extracted from the encrypted payload are not properly sanitized, allowing directory traversal to escape the backup directory and write files into publicly accessible locations.
Props to Lucas Montes (NiRoX) who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program.
| Field | Details |
|---|---|
| CVSS Rating | 9.8 (Critical) |
| CVE-ID | CVE-2026-1357 |
| Affected Versions | <= 0.9.123 |
| Patched Version | 0.9.124 |
| Bounty | $2,145.00 |
By abusing the wpvivid_action=send_to_site parameter, an unauthenticated attacker can upload arbitrary PHP files and then invoke them directly in the browser, resulting in remote code execution and likely full site compromise.
WordPress Backup Plugin Vulnerability
Arbitrary file upload vulnerability is commonly leveraged to deploy webshells, plant backdoors, or install further malware.
The plugin uses the key generated in the settings to RSA decrypt the $key value. If the value is incorrect, this $key value will be false.
However, the exposure is most critical for site owners who have explicitly enabled the feature that allows another site to send backups using a generated key, which is disabled by default and limited to a maximum key lifetime of 24 hours.
For this finding, the researcher received a bounty of 2,145 dollars, underscoring the growing role of incentive programs in strengthening WordPress plugin security.
Wordfence issued a firewall rule on January 22, 2026, for its Premium, Care, and Response customers, with protection scheduled to reach free users on February 21, 2026.
The vendor patched this issue by adding an empty check to the $key value in the decrypt_message() function.
decrypt_message() function (Source : Wordfence).After being contacted on January 22, the WPvivid development team responded the next day and released a fully patched version, 0.9.124, on January 28, 2026.
The fix adds a check to ensure that decryption failures immediately halt processing and introduces strict file extension validation so that only legitimate backup formats are accepted.
All WordPress site owners using WPvivid Backup are urged to update to version 0.9.124 or later as soon as possible to mitigate this critical remote code execution risk.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
