A critical remote code execution vulnerability in the WPvivid Backup & Migration plugin (CVE-2026-1357) affects over 900,000 WordPress installations, allowing unauthenticated attackers to upload malicious files and take complete control of websites. The flaw stems from improper cryptographic error handling and insufficient file sanitization.
A critical security flaw has been discovered in the WPvivid Backup & Migration plugin for WordPress, putting more than 900,000 websites at risk of complete compromise. The vulnerability, tracked as CVE-2026-1357 with a severity score of 9.8 out of 10, allows attackers to execute arbitrary code on affected sites without authentication.
The Vulnerability Explained
The security issue stems from a combination of cryptographic mishandling and insufficient file validation. When the plugin's RSA decryption function fails, it doesn't properly halt execution. Instead, the failed result (false) gets passed to the AES encryption routine, which treats it as a string of null bytes. This creates a predictable encryption key that attackers can exploit to craft malicious payloads.
Additionally, the plugin failed to properly sanitize uploaded file names, allowing directory traversal attacks. This means attackers could write files outside the intended backup directory and upload malicious PHP files for remote code execution.
Limited but Significant Exposure Window
According to researchers at WordPress security company Defiant, only sites with the non-default "receive backup from another site" option enabled are critically impacted. The vulnerability also has a 24-hour exploitation window—the validity period of the generated key required by other sites to send backup files.
While this limitation reduces the realistic exposure, the plugin is commonly used for site migrations and backup transfers between hosts. Website administrators are very likely to enable this feature at some point, at least temporarily, making the risk significant for many users.
Technical Root Cause
Security researcher Lucas Montes (NiRoX) reported the vulnerability to Defiant on January 12. The core issue involves improper error handling in RSA decryption combined with a lack of path sanitization. Specifically:
- The
openssl_private_decrypt()function failure isn't properly handled - Failed decryption results are passed to AES (Rijndael) routines
- The cryptographic library treats false values as null byte strings
- This creates predictable encryption keys for malicious payload crafting
- Uploaded file names aren't properly sanitized, enabling directory traversal
Patch and Mitigation
Defiant notified the vendor, WPVividPlugins, on January 22 after validating the proof-of-concept exploit. The security update addressing CVE-2026-1357 was released in version 0.9.124 on January 28.
The fix includes several key improvements:
- Added a check to stop execution if RSA decryption fails
- Implemented filename sanitization
- Restricted uploads to allowed backup file types only (ZIP, GZ, TAR, and SQL)
Immediate Action Required
Users of the WPvivid Backup & Migration WordPress plugin should upgrade to version 0.9.124 immediately. The vulnerability affects all versions up to 0.9.123 and could lead to complete website takeover if exploited.
For administrators who cannot immediately update, it's recommended to disable the "receive backup from another site" feature until the patch can be applied. Regular monitoring of WordPress installations and maintaining updated plugins remains crucial for website security.
This vulnerability highlights the ongoing challenges in WordPress plugin security, particularly around file upload functionality and cryptographic operations. As WordPress continues to power a significant portion of the web, ensuring plugin security through regular updates and security audits remains essential for website administrators and developers alike.
Comments
Please log in or register to join the discussion