CVE-2026-1357

Name of the Vulnerable Software and Affected Versions WPvivid Backup & Migration versions up to and including 0.9.123

Description The WPvivid Backup & Migration plugin for WordPress is susceptible to an unauthenticated arbitrary file upload, potentially leading to Remote Code Execution (RCE). This issue stems from flawed error handling during RSA decryption and insufficient path sanitization when handling uploaded files. Specifically, when the plugin encounters an error during RSA decryption using openssl private decrypt(), it fails to halt execution and incorrectly passes a boolean false value to the phpseclib library for AES cipher initialization. This library interprets the false value as a string of null bytes, enabling attackers to encrypt malicious payloads with a predictable null-byte key. Furthermore, the plugin lacks proper sanitization of filenames received from the decrypted payload, allowing directory traversal and the placement of malicious PHP files in publicly accessible directories. Exploitation occurs via the wpvivid action=send to site parameter. Approximately 800,000 to 900,000 WordPress sites are estimated to be affected.

Recommendations Update the WPvivid Backup & Migration plugin to version 0.9.124 or later immediately.