A critical security flaw has been discovered in the WPvivid Backup & Migration WordPress plugin, putting approximately 800,000 websites at risk of remote code execution (RCE) and potential full site takeover.
Tracked as CVE-2026-1357 with a CVSS score of 9.8, the vulnerability affects plugin versions up to 0.9.123. The issue has been addressed in version 0.9.124, which includes critical fixes to prevent exploitation.
This article explores:
- How the WPvivid vulnerability works
- Attack vectors and risk factors
- Steps site administrators should take to secure their sites
How the Vulnerability Works
The WPvivid flaw is most dangerous when the “receive a backup from another site” feature is enabled:
- The feature generates a temporary key that allows a site to accept backups from another server
- The key expires after 24 hours but is active during that window
- An attacker can exploit the wpvivid_action=send_to_site upload path to send malicious files
Researchers at Wordfence identified two main causes:
- Crypto Error Handling Issue
- When RSA decryption fails, the plugin continues processing with a false value
- This predictable “all null bytes” key allows attackers to craft a payload the server will accept
- Unsafe File-Path Handling
- Filenames from decrypted payloads are not properly sanitized
- Attackers can perform directory traversal, placing PHP files outside the backup directory in web-accessible locations
This combination enables unauthenticated arbitrary file upload, effectively giving attackers remote code execution on vulnerable servers.
Risk and Impact
- Affects 800,000 WordPress sites running vulnerable versions with the receive-backup feature enabled
- Exploitable without authentication, meaning any attacker can target affected sites
- Can lead to full site takeover, including database compromise, defacement, and further malware deployment
Fixes and Patch Information
WPvivid patched the vulnerability in version 0.9.124 by:
- Stopping processing when the decrypted key is empty or false
- Restricting uploads to expected backup extensions:
.zip,.gz,.tar,.sql
Recommended Mitigation Steps
Site administrators should take the following actions immediately:
- Update the plugin to 0.9.124 or later
- Disable the receive-backup key when not in use
- Rotate any previously generated keys
- Audit the web root for unexpected PHP files created during the active key window
- Monitor logs for suspicious activity related to wpvivid_action uploads
Key Takeaways
- Always keep plugins updated — critical vulnerabilities can allow unauthenticated attacks
- Limit or disable high-risk features unless actively needed
- Regularly audit web roots and backup directories for malicious files
- Use a web application firewall (WAF) to block suspicious requests, especially for upload paths
The WPvivid vulnerability highlights how even widely-used backup plugins can expose WordPress sites to critical RCE risks if misconfigured or outdated. Prompt patching and proper configuration are essential to secure your site.
