Critical WordPress Backup Plugin RCE Flaw Exposes 8
An unauthenticated attacker can exploit a critical vulnerability in the WPvivid Backup & Migration WordPress plugin to upload arbitrary files and execute code on the server. This remote code...
An unauthenticated attacker can exploit a critical vulnerability in the WPvivid Backup & Migration WordPress plugin to upload arbitrary files and execute code on the server. This remote code execution (RCE) often results in full site takeover.
The issue is tracked as CVE-2026-1357, scored 9.8 (Critical), and affects plugin versions up to and including 0.9.123, with a fix available in 0.9.124.
The most serious risk applies only when a site has enabled WPvivid’s “receive a backup from another site” feature by generating a key in the plugin settings, since the feature is disabled by default and the key can expire in at most 24 hours.
In the vulnerable flow, attackers can target the backup-receiving endpoint and trigger the upload path associated with the wpvivid_action=send_to_site parameter.
Wordfence researchers noted that the weakness comes from a crypto error-handling mistake combined with unsafe file-path handling, which together make arbitrary PHP upload and remote code execution feasible.
How the upload works
When RSA decryption fails during message processing, the code can continue with a false value that effectively becomes a predictable “all null bytes” key in the AES/Rijndael routine, allowing attackers to craft data the server will accept.
The plugin also accepted filenames from the decrypted payload without proper sanitization, enabling directory traversal so a file could escape the intended backup directory and land in a web-accessible location.
WPvivid fixed the issue in 0.9.124 by stopping processing when the decrypted key is empty/false and by restricting uploads to expected backup extensions (such as zip/gz/tar/sql).
| Field | Details |
|---|---|
| Vulnerability | Unauthenticated arbitrary file upload → RCE |
| CVE / CVSS | CVE-2026-1357 / 9.8 (Critical) |
| Affected versions | ≤ 0.9.123 |
| Patched version | 0.9.124 |
| Exploit condition | Receive-backup generated key enabled; max 24h expiry |
| Key attack surface | wpvivid_action=send_to_site upload path |
| Root cause | RSA decrypt failure not stopping + path traversal/unsanitized names |
Administrators should update to 0.9.124, disable the receive-backup key when not needed, rotate any generated keys, and review the web root for unexpected PHP files created around the enabled-key window.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.