Critical RCE Vulnerability Reported in WPvivid Backup Plugin

The WPvivid Backup & Migration plugin for WordPress, contains a critical security flaw that allows unauthenticated remote code execution (RCE). The plugin has over 900,000 active installations.

The vulnerability is tracked as CVE-2026-1357 (CVSS score 9.8) - An unauthenticated arbitrary file upload vulnerability caused by improper error handling in RSA decryption and a lack of path sanitization. When the openssl_private_decrypt() function fails, the plugin continues execution and passes a boolean 'false' to the AES initialization routine, which the cryptographic library interprets as a string of null bytes. This allows attackers to use a predictable null-byte key to encrypt malicious payloads that the plugin accepts, which when combined with directory traversal, lets attackers write PHP files outside the intended backup directory to gain full system control.

The flaw is severe but it primarily affects sites that have enabled the non-default receive backup from another site feature, which is often used during site migrations or host transfers. Wordfence researchers have already observed hundreds of active attacks targeting this specific flaw shortly after its disclosure.

The vulnerability affects all versions of the WPvivid Backup & Migration plugin up to and including 0.9.123. 

Administrators using this tool should check their settings to see if the "receive backup" feature is active, as this configuration creates the primary attack surface for the RCE exploit.

WPVividPlugins released version 0.9.124 on January 28 to fix the issue. The update introduces a mandatory check that stops execution if RSA decryption fails and adds strict filename sanitization to prevent directory traversal. Additionally, the plugin now restricts uploads to specific backup file types like ZIP, GZ, TAR, and SQL.