A significant security vulnerability has been discovered in the WPvivid Backup & Migration WordPress plugin, potentially impacting up to 800,000 websites. This flaw could allow unauthorized attackers to upload malicious files and execute code on vulnerable servers, potentially leading to complete site compromise.
Details of the Vulnerability
The vulnerability is identified as CVE-2026-1357 and has been given a critical severity score of 9.8. It affects versions of the plugin up to 0.9.123. A patch addressing this issue is available in version 0.9.124. The risk is particularly high when the plugin’s feature to receive backups from another site is activated, as this option is disabled by default and requires a key that expires within 24 hours.
Attackers can exploit the backup-receiving endpoint using the parameter wpvivid_action=send_to_site to initiate the file upload process. Wordfence researchers have highlighted that the vulnerability arises from a combination of cryptographic error handling and insecure file path management, enabling arbitrary PHP file uploads and remote code execution.
Technical Insights into the Exploit
The vulnerability is triggered when RSA decryption fails during message processing, resulting in the use of a predictable key composed of null bytes in the AES/Rijndael encryption routine. This flaw allows attackers to craft data packets that the server will accept as legitimate.
Moreover, the plugin did not properly sanitize filenames extracted from the decrypted data. This oversight permits directory traversal attacks, where files can escape the designated backup directory and be placed in publicly accessible locations on the server.
Solutions and Recommendations
WPvivid addressed the issue in version 0.9.124 by halting processing when the decrypted key is invalid and by restricting uploads to specific backup file types such as zip, gz, tar, and sql. Administrators are strongly urged to update to the latest plugin version, disable the receive-backup feature when not in use, rotate any active keys, and check their server for unexpected PHP files.
It is crucial for website administrators to promptly apply these updates and security measures to mitigate the risk of exploitation. Maintaining site security through regular updates and vigilant monitoring remains a top priority in safeguarding digital assets.
