A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress can be exploited to achieve remote code execution by uploading arbitrary files without authentication, the National Vulnerability Database entry reported. The flaw affects all versions up to 0.9.123 and the plugin is installed on more than 900,000 sites.
KEY FACTS
- Vulnerability CVE-2026-1357, severity 9.8
- Affected versions all releases up to 0.9.123
- Install base more than 900,000 sites
- Exploit window generated backup key valid for 24 hours
- Patch fixed in version 0.9.124 on January 28
The root cause combines improper error handling in RSA decryption with a lack of path sanitization. When the RSA decryption routine fails the result is passed to the AES routine which treats it as a predictable key, allowing crafted payloads to be accepted.
The plugin also failed to sanitize uploaded file names allowing directory traversal and writing files outside the intended backup folder. Malicious PHP files can be uploaded and executed when the backup receive feature is enabled.
The issue is critical only for sites with the non default “receive backup from another site” option enabled and attackers have a 24 hour exploitation window due to the generated key validity. The plugin is commonly used for site migrations and backup transfers between hosts as indicated on the WordPress.org plugin page.
The security update in version 0.9.124 adds a check to stop execution if RSA decryption fails, adds filename sanitization and restricts uploads to allowed backup file types such as ZIP GZ TAR and SQL. Administrators should upgrade to 0.9.124 to remove the vulnerability.
WHY IT MATTERS
Sites that enable the receive backups option are at risk of full site takeover through unauthenticated file upload. Updating the plugin to 0.9.124 closes the exploited vectors and should be applied promptly.