Bleeping Computer reports that a critical vulnerability in the WPvivid Backup & Migration plugin, affecting over 900,000 WordPress websites, has been discovered. This flaw allows unauthenticated attackers to execute arbitrary code on a website.The vulnerability, tracked as CVE-2026-1357 with a severity score of 9.8, impacts all versions of the plugin up to 0.9.123. While the most critical impact is limited to sites with the "receive backup from another site" option enabled and a 24-hour exploitation window due to key validity, the plugin's common use for migrations means many administrators may enable this feature.The exploit stems from improper error handling in RSA decryption combined with a lack of path sanitization. When decryption fails, the plugin incorrectly generates a predictable key. Additionally, insufficient sanitization of uploaded filenames allows for directory traversal, enabling the upload of malicious PHP files for remote code execution. Website administrators are urged to update to version 0.9.124 immediately to mitigate the threat.Source: Bleeping Computer
Vulnerability Management, Patch/Configuration Management
Critical vulnerability in WPvivid backup plugin allows remote code execution

(Credit: Bilal Ulker – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



