CVE-2026-1357

Name of the Vulnerable Software and Affected Versions Migration, Backup, Staging – WPvivid Backup & Migration versions prior to 0.9.124

Description The plugin is subject to an unauthenticated arbitrary file upload that can lead to remote code execution and full site takeover. This issue affects approximately 800,000 to 900,000 devices worldwide. The flaw exists when the "receive a backup from another site" feature is enabled, which generates a key that expires within 24 hours.

Technical details involve improper error handling during the RSA decryption process. When the openssl private decrypt() function fails, the plugin passes a boolean false value to the phpseclib library's AES cipher initialization. The library interprets this as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Furthermore, a lack of path sanitization allows directory traversal to escape the protected backup directory and write PHP files to public directories via the 'wpvivid action=send to site' endpoint.

Recommendations Update to version 0.9.124 or later. Disable the "receive backup from another site" feature unless it is strictly necessary.