A critical vulnerability in the WPvivid Backup & Migration plugin threatens over 900,000 WordPress sites with potential full site takeovers.
Quick Summary – TLDR:
- A severe security flaw in WPvivid Backup & Migration affects all versions up to 0.9.123.
- The vulnerability allows unauthenticated remote code execution (RCE) via arbitrary file uploads.
- It only impacts sites with a specific backup setting enabled, but that setting is commonly used.
- A patch is available in version 0.9.124 and users are urged to update immediately.
What Happened?
Security researchers discovered a critical vulnerability in the popular WPvivid Backup & Migration plugin, installed on more than 900,000 WordPress sites. The flaw, now tracked as CVE-2026-1357, allows unauthenticated attackers to upload arbitrary PHP files and gain remote code execution rights. While the exploit requires a specific setting to be enabled, many sites may still be at risk during backups or migrations.
800,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in WPvivid Backup WordPress Plugin
— Wordfence (@wordfence) February 10, 2026
A critical arbitrary file upload vulnerability (CVE-2026-1357, CVSS 9.8) was found in WPvivid Backup, a plugin installed on over 800,000 WordPress sites.
Update to…
Vulnerability Details
The flaw stems from improper error handling during RSA decryption and lack of path sanitization when processing uploaded files. Here’s how it works:
- When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not stop execution.
- Instead, it passes a false value to the AES encryption routine, which treats it as a predictable key (null bytes).
- This opens the door for attackers to craft payloads that the plugin mistakenly accepts as valid backup files.
- Because the file names from these payloads are not sanitized, attackers can exploit directory traversal to place malicious PHP files anywhere in the public directory.
- The attack is triggered via the wpvivid_action=send_to_site parameter.
The plugin’s default configuration has this backup feature turned off. However, many admins enable it temporarily during migrations or remote backups, creating a 24-hour window of exposure due to the temporary key’s validity.
How It Was Discovered?
The vulnerability was discovered by security researcher Lucas Montes (NiRoX) and responsibly reported to the Wordfence Bug Bounty Program. According to Wordfence, the issue was reported just five days after being introduced into the plugin. Montes earned a bounty of $2,145.00 for the discovery.
Wordfence deployed a firewall rule to premium users on January 22, 2026, to block attacks targeting this flaw. Free users will receive the same protection on February 21, 2026.
Vendor Response and Patch
The development team at WPVividPlugins responded quickly after being notified on January 22 and released a patch in version 0.9.124 on January 28.
The patch includes:
- A fail-safe to stop execution when RSA decryption fails.
- Proper filename sanitization to block directory traversal.
- File type restrictions allowing only safe formats like .zip, .tar, .gz, and .sql.
Users of the plugin are strongly advised to update to version 0.9.124 or later to secure their websites from potential takeovers.
SQ Magazine’s Takeaway
If you run a WordPress site using WPvivid, this is one of those bugs you really cannot ignore. I get that many of us only enable those backup options for a short while, but that short window is all hackers need. The fix is out, and it’s a simple plugin update. I say update it now, even if you think you’re not at risk. Better safe than rebuilding your whole site from scratch.
