Vulnerability Management, Patch/Configuration Management

Critical vulnerability in WPvivid backup plugin allows remote code execution

(Credit: Bilal Ulker – stock.adobe.com)

Bleeping Computer reports that a critical vulnerability in the WPvivid Backup & Migration plugin, affecting over 900,000 WordPress websites, has been discovered. This flaw allows unauthenticated attackers to execute arbitrary code on a website.

The vulnerability, tracked as CVE-2026-1357 with a severity score of 9.8, impacts all versions of the plugin up to 0.9.123. While the most critical impact is limited to sites with the "receive backup from another site" option enabled and a 24-hour exploitation window due to key validity, the plugin's common use for migrations means many administrators may enable this feature.

The exploit stems from improper error handling in RSA decryption combined with a lack of path sanitization. When decryption fails, the plugin incorrectly generates a predictable key. Additionally, insufficient sanitization of uploaded filenames allows for directory traversal, enabling the upload of malicious PHP files for remote code execution. Website administrators are urged to update to version 0.9.124 immediately to mitigate the threat.

Source: Bleeping Computer

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds