CVE-2026-1357

Name of the Vulnerable Software and Affected Versions WPvivid Backup & Migration versions up to and including 0.9.123

Description The WPvivid Backup & Migration plugin for WordPress is susceptible to an unauthenticated arbitrary file upload, potentially leading to remote code execution. This issue stems from improper error handling during RSA decryption and insufficient path sanitization when handling uploaded files. Specifically, when the plugin fails to decrypt a session key, it doesn't halt execution but instead passes a false value to the AES cipher initialization, which is interpreted as null bytes. This allows attackers to encrypt malicious payloads with a predictable key. The lack of filename sanitization then enables directory traversal, allowing attackers to upload arbitrary PHP files to publicly accessible directories via the

wpvivid action=send to site

parameter. The vulnerability is primarily exploitable when the "receive backup from another site" feature is enabled, with a 24-hour key window. Approximately 800,000 to 900,000 WordPress sites are estimated to be affected.

Recommendations Update the WPvivid Backup & Migration plugin to version 0.9.124 or later. If the "receive backup from another site" feature is enabled, consider disabling it unless absolutely necessary.