The issue is tracked as CVE-2026-1357, scored 9.8 (Critical), and affects plugin versions up to and including 0.9.123, with a fix available in 0.9.124.
The most serious risk applies only when a site has enabled WPvivid’s “receive a backup from another site” feature by generating a key in the plugin settings, since the feature is disabled by default and the key can expire in at most 24 hours.
In the vulnerable flow, attackers can target the backup-receiving endpoint and trigger the upload path associated with the wpvivid_action=send_to_site parameter.
Wordfence researchers noted that the weakness comes from a crypto error-handling mistake combined with unsafe file-path handling, which together make arbitrary PHP upload and remote code execution feasible.
When RSA decryption fails during message processing, the code can continue with a false value that effectively becomes a predictable “all null bytes” key in the AES/Rijndael routine, allowing attackers to craft data the server will accept.
The plugin also accepted filenames from the decrypted payload without proper sanitization, enabling directory traversal so a file could escape the intended backup directory and land in a web-accessible location.
WPvivid fixed the issue in 0.9.124 by stopping processing when the decrypted key is empty/false and by restricting uploads to expected backup extensions (such as zip/gz/tar/sql).
| Field | Details |
|---|---|
| Vulnerability | Unauthenticated arbitrary file upload → RCE |
| CVE / CVSS | CVE-2026-1357 / 9.8 (Critical) |
| Affected versions | ≤ 0.9.123 |
| Patched version | 0.9.124 |
| Exploit condition | Receive-backup generated key enabled; max 24h expiry |
| Key attack surface | wpvivid_action=send_to_site upload path |
| Root cause | RSA decrypt failure not stopping + path traversal/unsanitized names |
Administrators should update to 0.9.124, disable the receive-backup key when not needed, rotate any generated keys, and review the web root for unexpected PHP files created around the enabled-key window.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks appeared first on Cyber Security News.
INDIANAPOLIS, Ind. (WOWO) — Pack your patience alongside your sunscreen this Memorial Day. According to…
INDIANAPOLIS, Ind. (WOWO) — Pack your patience alongside your sunscreen this Memorial Day. According to…
FORT WAYNE, Ind. (WOWO) — Some rain is likely to move in to Indiana Tuesday…
FORT WAYNE, Ind. (WOWO) — Some rain is likely to move in to Indiana Tuesday…
The U.S. Department of Education on Feb. 20, 2026. (Photo by Shauneen Miranda/States Newsroom)WASHINGTON —…
The U.S. Department of Education on Feb. 20, 2026. (Photo by Shauneen Miranda/States Newsroom)WASHINGTON —…
This website uses cookies.