A critical vulnerability has been discovered in the WPvivid Backup & Migration plugin for WordPress, which is actively used on over 900,000 websites. This flaw enables remote code execution through the unauthorized upload of arbitrary files, bypassing authentication requirements.
Identified as CVE-2026-1357, this security issue carries a severe rating of 9.8. It affects all plugin versions up to 0.9.123 and could potentially result in a full compromise of a website.
Despite its critical nature, security researchers at Defiant, a WordPress security firm, note that only websites with the non-default “receive backup from another site” option enabled are at significant risk.
Attackers have a limited 24-hour window for exploitation, corresponding to the validity period of the key generated for receiving backup files from other sites.
While this requirement restricts the immediate exposure, the plugin is frequently utilized for website migrations and backup transfers between hosting providers. This means site administrators are likely to activate this feature, even if only for a short period.
The vulnerability was reported to Defiant by researcher Lucas Montes (NiRoX) on January 12. Its core lies in inadequate error handling during RSA decryption and insufficient path sanitization.
When the ‘openssl_private_decrypt()‘ function encounters a failure, the plugin continues execution rather than stopping. It then passes the failed result (false) to the AES (Rijndael) routine.
This action causes the cryptographic library to interpret the result as a string of null bytes, leading to a predictable encryption key. An attacker could then leverage this key to create malicious payloads that the plugin would process.
Furthermore, the plugin did not adequately sanitize uploaded file names, which enables directory traversal. This flaw permits files to be written outside the designated backup directory, including the upload of malicious PHP files for remote code execution.
Defiant informed the vendor, WPVividPlugins, on January 22, after confirming the proof-of-concept exploit. A security update, version 0.9.124, was released on January 28 to address CVE-2026-1357.
The patch introduces a check to halt execution if RSA decryption fails, implements filename sanitization, and limits uploads strictly to approved backup file types, including ZIP, GZ, TAR, and SQL.
Users of the WPvivid Backup & Migration WordPress plugin are advised to be aware of the risks posed by this vulnerability and to upgrade to version 0.9.124 without delay.
