Wordpress Vulnerability (CVE-2026-1357) [PoC]

Overview

A critical security vulnerability has been identified in the popular WPvivid Backup & Migration plugin for WordPress. This flaw allows an attacker without any login credentials to upload malicious files directly to a vulnerable website, potentially leading to a complete site takeover.

Vulnerability Explained

In simple terms, the plugin contains two key failures in its file upload process. First, when it encounters an error during a specific decryption step, it does not stop the upload. Instead, it incorrectly uses a predictable, all-zero encryption key, allowing an attacker to easily craft a malicious file that the plugin will accept. Second, the plugin does not properly validate file paths, enabling an attacker to place the uploaded file outside of the intended secure backup folder and into a publicly accessible directory on the web server.

By exploiting these flaws together through a specific action (wpvivid_action=send_to_site), an unauthenticated individual can upload a PHP file containing arbitrary code.

Potential Impact

The impact of this vulnerability is severe (CVSS Score: 9.8/10, CRITICAL). A successful attack can result in:

• Remote Code Execution (RCE): Attackers can run any code they choose on your web server.
• Complete Website Compromise: This can lead to data theft, defacement, installation of backdoors, or use of your site for malicious activities like phishing or malware distribution.
• Server Compromise: An attacker may leverage access to your website to attack other sites on the same server or your internal network.

Remediation and Mitigation

Immediate action is required to protect your WordPress site.

Primary Solution – Update Immediately: The plugin developers have released a fix. Update the “Migration, Backup, Staging – WPvivid Backup & Migration” plugin to version 0.9.124 or higher immediately. This is the only complete remedy.

Immediate Mitigation (If Update is Not Instantly Possible):

1. Deactivate the Plugin: If you cannot update right away, deactivate the WPvivid plugin via your WordPress admin dashboard until you can apply the patch.
2. Check for Compromise: Review your site’s files, especially in wp-content/uploads/ and root directories, for any recently added suspicious PHP files. Monitor for unknown admin users or unexpected behavior.
3. General Security Hygiene: Ensure all other plugins, themes, and WordPress core are updated. Implement a web application firewall (WAF) rule if available to block requests containing wpvivid_action=send_to_site.

All users of WPvivid Backup & Migration version 0.9.123 and below should treat this vulnerability as an urgent priority.