A critical security flaw in the popular WPvivid Backup & Migration plugin for WordPress enables unauthenticated remote code execution (RCE) through arbitrary file upload. More than 900,000 WordPress sites using this backup and migration tool may be exposed if specific configuration conditions are met.
Overview of CVE-2026-1357 in WPvivid Backup & Migration
The vulnerability has been assigned CVE-2026-1357 and scored 9.8 on the CVSS scale, placing it in the highest, critical risk category. Such a score reflects the potential for full site compromise, including taking over the WordPress installation and any data hosted on the server.
The issue affects all versions of WPvivid Backup & Migration up to and including 0.9.123. A patched release, version 0.9.124, was made available on 28 January 2026 after security researcher Lucas Montes (NiRoX) reported the flaw to Defiant, the company behind Wordfence, on 12 January 2026. The plugin vendor was notified on 22 January and responded with a timely fix.
Who Is Really at Risk: Exploitation Conditions and Real-World Impact
Although CVE-2026-1357 is technically severe, Defiant’s analysis indicates that not every installation is equally exposed. Exploitation requires that a specific WPvivid feature be enabled: the option to “receive backup from another site”.
For a successful attack, two conditions must be satisfied:
- The WordPress site has the receive backups from another site function enabled in WPvivid.
- The attacker acts within a 24-hour window during which the backup transfer key, used for site-to-site communication, remains valid.
In practice, however, many administrators temporarily enable remote backup and migration when moving sites between hosting providers. When such options are left enabled longer than necessary, the attack surface expands significantly, particularly given WordPress’s large market share (over 40% of the web according to multiple industry surveys).
Technical Breakdown: From Crypto Failure to Arbitrary File Upload
RSA Decryption Error Handling and Predictable AES Key
The first core problem lies in improper error handling during RSA decryption, which is then chained with AES (Rijndael) encryption logic. The plugin uses the PHP function openssl_private_decrypt() to decrypt incoming backup data.
When decryption fails, openssl_private_decrypt() returns false. Instead of halting execution, the vulnerable versions of the plugin passed this false value into the AES-based cryptographic routine. Internally, the crypto code treated false as a string of null bytes, which effectively resulted in a fixed, predictable encryption key.
An attacker aware of this behavior could craft backup payloads that appear structurally valid but are in fact malicious archives, encrypted (or simply formatted) to match the predictable key. The plugin would then accept and process the data as if it were a legitimate backup from a trusted site.
Path Traversal and Writing Files Outside the Backup Directory
The second part of the exploit chain involves insufficient sanitization of file names during the restore/import process. The plugin did not adequately neutralize path traversal sequences such as ../, which allowed a classic directory traversal (path traversal) vulnerability.
By manipulating file paths inside the backup archive, an attacker could:
- Write arbitrary files outside the intended backup directory.
- Place malicious scripts in web-accessible locations such as the site root or
wp-content/uploads. - Achieve remote code execution by triggering those scripts via normal HTTP requests.
The combination of a predictable decryption key and directory traversal essentially turned the backup import channel into an unauthenticated file upload mechanism, suitable for dropping web shells or other persistent backdoors.
Security Fixes in WPvivid Backup & Migration 0.9.124
In version 0.9.124, the WPvivid development team has addressed CVE-2026-1357 through several key improvements that harden the plugin’s backup and migration functionality.
- Robust error handling: The result of
openssl_private_decrypt()is now checked explicitly, and processing stops immediately if RSA decryption fails, preventing the use of invalid keys. - Strict file name validation: File paths are sanitized and validated to eliminate directory traversal sequences and keep writes confined to approved locations.
- File type allowlisting: The plugin now restricts uploads to specific backup-related formats such as ZIP, GZ, TAR, and SQL, reducing the risk of directly uploading executable scripts.
These changes significantly narrow the attack vector and bring the backup import feature back in line with secure design principles for WordPress backup plugins.
Site owners and administrators are strongly advised to update WPvivid Backup & Migration to version 0.9.124 or later without delay. Remaining on any vulnerable version up to 0.9.123 is particularly dangerous if the site has ever enabled receiving backups from other sites, even temporarily.
Beyond patching this specific plugin, it is prudent to strengthen overall WordPress security hygiene: disable remote import and migration features when not in use, restrict access to /wp-admin via IP allowlists or VPN, deploy a web application firewall (WAF) to block malicious payloads, and implement file integrity monitoring to detect unexpected changes. A layered defense strategy makes it significantly harder for attackers to exploit both known and zero-day vulnerabilities—and increases the chances of catching a compromise before it escalates.
