A critical vulnerability tracked as CVE-2026-1357 (CVSS 9.8) affects the WPvivid Backup & Migration WordPress plugin and can allow unauthenticated arbitrary file upload leading to remote code execution (RCE) in versions ≤ 0.9.123.
Successful exploitation can result in full site takeover by writing attacker-controlled files (including PHP) to web-accessible locations. Public reporting indicates the plugin has a very large install base (reported at ~900k), making this a high-impact issue where exposure conditions are met.
Exposure conditions and real-world risk
The most critical exposure is tied to a non-default setting: sites are primarily at risk when the “receive backup from another site” capability is enabled.
Exploitation requires a generated key that appears to be valid for roughly 24 hours, which reduces always-on exposure, but this feature is commonly enabled during migrations or backup transfers, often temporarily, creating realistic windows of vulnerability in production environments.
Root cause and exploitation path
The vulnerability stems from improper error handling during RSA decryption combined with insufficient path sanitization when writing uploaded files.
When openssl_private_decrypt() fails, execution does not stop; the failed result can be treated as predictable input by subsequent crypto routines, enabling crafted payloads to be accepted.
In parallel, weak filename handling enables directory traversal, allowing files to be written outside the intended backup directory, including the placement of malicious PHP for code execution.
Reports highlight the attack surface in WPvivid’s inter-site transfer functionality (commonly referenced via actions like send_to_site).
Affected versions and fix
- Affected: WPvivid Backup & Migration up to 0.9.123.
- Patched: 0.9.124, released January 28, 2026, which adds proper failure handling for RSA decryption, improves filename sanitization, and restricts uploads to expected backup file types (e.g., ZIP/GZ/TAR/SQL).
Mitigation & Response
Organizations that use WordPress should immediately:
- Check if the WPvivid Backup & Migration plugin is installed and identify the running version
- Upgrade to version 0.9.124 or later to remediate CVE-2026-1357
- Review whether the “receive backup from another site” feature was enabled, especially during recent migrations
- Inspect backup and upload directories for unexpected PHP files or unfamiliar artifacts that may indicate exploitation
- Review WordPress and server logs for suspicious file upload or transfer activity tied to the plugin
- Remove any unauthorized files and isolate the site if compromise is suspected
If any support is required, please reach out immediately to the OP Innovate Incident Response team.
Stay Safe. Stay Secure.
OP Innovate Research Team
