A critical security vulnerability has been discovered in the WPvivid Backup and Migration plugin for WordPress, a widely used tool installed on more than 900,000 websites. The flaw could allow unauthenticated attackers to execute arbitrary code on vulnerable sites, potentially leading to full website compromise.
The vulnerability is tracked as CVE-2026-1357 and carries a CVSS score of 9.8, indicating maximum severity. It affects all plugin versions up to and including 0.9.123.
Exploitation Requires Specific Feature Enabled
According to researchers at WordPress security firm Defiant, the vulnerability only critically affects websites where the non default option labeled receive backup from another site is enabled.
This feature allows WordPress installations to accept backup files from external sources, typically during site migrations or remote backup transfers. While not enabled by default, administrators frequently activate it temporarily during hosting transitions or backup operations.
Attackers must also exploit the flaw within a limited time frame. The generated authentication key required to send backup files remains valid for only 24 hours. Although this narrows the exposure window, the practical risk remains significant due to how commonly the feature is used.
Technical Root Cause of the Vulnerability
Security researcher Lucas Montes, also known as NiRoX, reported the vulnerability on January 12. The issue stems from improper cryptographic error handling combined with insufficient file path validation.
When the function openssl_private_decrypt fails during RSA decryption, the plugin does not properly stop execution. Instead, it passes the failed result, which evaluates to false, into the AES encryption routine.
The cryptographic library interprets this false value as a predictable string of null bytes. This behavior allows attackers to calculate the resulting encryption key and craft malicious payloads that the plugin will accept as legitimate.
Compounding the issue, the plugin does not adequately sanitize uploaded file names. This enables directory traversal, allowing attackers to write files outside the designated backup directory. By uploading malicious PHP files into accessible locations, attackers can achieve remote code execution and take control of the affected WordPress site.
Patch Released in Version 0.9.124
After validating the proof of concept exploit, Defiant notified the plugin developer, WPVividPlugins, on January 22. A patched version, 0.9.124, was released on January 28 to address the issue.
The update introduces several security improvements:
- Execution now stops immediately if RSA decryption fails
- Uploaded file names are properly sanitized to prevent directory traversal
- File uploads are restricted to approved backup formats such as ZIP, GZ, TAR, and SQL
These changes prevent attackers from manipulating the encryption process or uploading unauthorized file types.
Immediate Action Recommended
Given the plugin’s widespread deployment and the severity of the flaw, WordPress administrators are strongly advised to update to version 0.9.124 without delay.
Even though exploitation depends on a specific feature being enabled and a limited key validity window, the potential impact includes full website takeover, data theft, malware injection, and abuse of hosting infrastructure.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
