A critical security vulnerability has been identified in the WPvivid Backup and Migration plugin for WordPress, placing more than 900,000 websites at risk of remote code execution. The flaw, tracked as CVE-2026-1357 and assigned a severity score of 9.8, affects all plugin versions up to 0.9.123. Security researchers warn that the issue could allow unauthenticated attackers to upload arbitrary files and potentially take full control of affected websites under certain conditions.
According to findings reported by Bleeping Computer and detailed by researchers at WordPress security firm Defiant, the vulnerability is primarily exploitable on websites where the non default receive backup from another site feature is enabled. Although this option is not active by default, it is commonly used during website migrations and backup transfers between hosting environments, increasing the likelihood that administrators may enable it at least temporarily. Attackers also face a 24 hour exploitation window, which corresponds to the validity period of a generated key required for backup file transfers. While this requirement narrows the exposure window, the widespread adoption of the plugin heightens the overall risk landscape.
The vulnerability was discovered by security researcher Lucas Montes, known as NiRoX, who reported the issue to Defiant on January 12. Technical analysis revealed that the root cause stems from improper error handling in RSA decryption combined with insufficient path sanitization. Specifically, when the openssl_private_decrypt function fails, the plugin does not terminate execution as expected. Instead, it passes the failed result to the AES Rijndael encryption routine. The cryptographic library interprets the failed output as a string of null bytes, effectively generating a predictable encryption key. This predictable key can then be leveraged by attackers to craft malicious payloads that the plugin would accept as legitimate.
In addition to flawed cryptographic handling, the plugin also failed to adequately sanitize uploaded file names. This oversight enables directory traversal attacks, allowing threat actors to write files outside the designated backup directory. By exploiting this weakness, attackers can upload malicious PHP files and achieve remote code execution on vulnerable systems. Successful exploitation could lead to complete website compromise, data manipulation, or further lateral movement within hosting environments.
Following validation of the proof of concept exploit, Defiant notified the plugin vendor WPVividPlugins on January 22. A patched version addressing CVE-2026-1357 was released on January 28 in version 0.9.124. The security update introduces stricter controls, including proper termination of execution when RSA decryption fails, enhanced filename sanitization, and restrictions limiting uploads to approved backup file formats such as ZIP, GZ, TAR, and SQL. Website administrators using WPvivid Backup and Migration plugin are strongly advised to update to the latest version immediately to mitigate the threat and ensure their WordPress environments remain protected.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
