WordPress WPvivid Backup Plugin Flaw Puts Over 800,000 Sites at Risk of Full Takeover
5 min. read 
Published on
A critical security vulnerability in the WPvivid Backup & Migration WordPress plugin can let attackers upload files without logging in and run code on the server. This flaw is tracked as CVE-2026-1357 and has a CVSS severity score of 9.8, underlining its high risk. More than 800,000 WordPress sites using versions up to 0.9.123 may be exposed if a specific feature is enabled, according to security researchers.
A patch for this issue was released in version 0.9.124. Site owners and administrators are urged to update immediately to prevent potential site takeover by remote attackers.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
What the Vulnerability Does
The flaw allows unauthenticated attackers to send specially crafted requests to a backup endpoint. Those requests can include malicious files such as PHP scripts. If accepted and stored in the publicly accessible part of the site, those files can be executed, allowing full remote code execution and total control of the site’s content and server.
According to the official vulnerability entry: “This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.” NVD entry on CVE-2026-1357.
The risk is highest when the plugin’s “receive a backup from another site” feature is active. This option is not enabled by default, but many administrators enable it briefly during migrations or external backups, creating a window of exposure.
How the Exploit Works
Security analysts explain that a combination of two coding flaws makes the exploit possible:
- Improper error handling in RSA decryption
- Lack of path sanitization for uploaded files
When a session key fails to decrypt using openssl_private_decrypt(), the plugin did not stop execution. Instead it passed a false value into the encryption routine. That value is interpreted as a predictable null-byte string, making it easy for attackers to craft accepted payloads.
At the same time, filenames extracted from these payloads were not properly checked. This allowed an attacker to use directory traversal to place malicious files in locations outside the intended backup folder.
Who Reported It and How It Was Fixed
The issue was discovered by security researcher Lucas Montes (NiRoX) and responsibly reported to the Wordfence Bug Bounty Program on January 12, 2026. Wordfence assigned the CVE designation and tracked the vulnerability.
Wordfence released a firewall rule for premium users on January 22, 2026, to block exploit attempts. Free users of the Wordfence plugin will receive the same protection on February 21, 2026.
The WPvivid development team responded quickly and released a patched version (0.9.124) on January 28, 2026. This update adds safeguards to halt processing if RSA decryption fails and enforces strict file type checks for uploads.
Plugin Popularity and Exposure
WPvivid Backup & Migration is widely used among WordPress sites. According to Wordfence data, it has around 900,000 active installations.
Not all of these sites are necessarily vulnerable at any given time. The critical exploit path only applies when the backup key feature is enabled, creating a temporary security window. However, because site migrations and remote backups are common, this feature may be activated frequently.
Technical Summary of the Flaw
| Aspect | Details |
|---|---|
| CVE ID | CVE-2026-1357 |
| Severity | CVSS 9.8 (Critical) |
| Affected Versions | ≤ 0.9.123 |
| Patched Version | 0.9.124 |
| Active Installations | ~800,000–900,000 |
| Exploit Condition | Plugin’s backup receive feature enabled |
| Attack Vector | Unauthenticated arbitrary file upload |
| Parameter | wpvivid_action=send_to_site |
| Root Causes | RSA error mis-handling + path sanitization gap |
What Site Owners Should Do Now
Update the plugin to version 0.9.124 or newer immediately.
Disable the “receive backup from another site” feature when not in use.
Rotate any generated keys that were used for backup transfers.
Scan the web root for unexpected PHP files that may have been uploaded during the exposed period.
Use a Web Application Firewall (WAF) to block suspicious requests to the vulnerable parameter.
How to Protect Your Site
Best practices for WordPress security include:
- Keep WordPress core and all plugins up to date.
- Avoid enabling features that allow arbitrary external access unless essential.
- Use security plugins that detect or block unusual upload attempts.
- Perform regular backups and store them offsite.
- Monitor web directories for unauthorized changes.
Layered defenses reduce the risk that a single plugin flaw leads to a full site compromise.
FAQ
A: No. The critical risk applies only when the backup-receiving feature is enabled and a temporary key is active. Many sites do not use this feature regularly.
A: A successful exploit lets an attacker upload and run arbitrary PHP code, which can lead to full site takeover, defacement, or data theft.
A: Yes. Updating to version 0.9.124 or later removes the vulnerability and is strongly recommended.
A: Temporarily disabling the plugin and applying a Web Application Firewall rule to block the vulnerable upload path can reduce risk until the patch is applied.
A: The key is generated when enabling remote backup reception and is valid for up to 24 hours. That period represents the window attackers can exploit the flaw if active.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages