Over 800,000 WordPress websites are vulnerable to unauthenticated remote code execution due to a serious flaw in the WPvivid Backup plugin This article explores wordpress websites vulnerable. . This vulnerability, which was found through Wordfence's Bug Bounty Program, enables malicious files to be uploaded by attackers when websites activate a particular backup transfer feature.

Up until version 0.9.123, the WPvivid Backup & Migration plugin—also referred to as Migration, Backup, and Staging—had a problem with unauthenticated arbitrary file uploads. Under CVE-2026-1357, this has a critical CVSS score of 9.8. By using the wpvivid_action=send_to_site parameter, attackers can take advantage of it and use webshells or other payloads to take over the entire website. The vulnerability is caused by inadequate RSA decryption error handling and a lack of path sanitization.

Because phpseclib's AES cipher interprets false when openssl_private_decrypt() fails on a session key, attackers can create predictable payloads. The plugin then allows directory traversal to public areas for PHP execution by writing files without verifying extensions or paths. Wordfence is the source of the WordPress Backup Plugin Exploit.

Only websites that have a generated receive key enabled—off by default, with a 24-hour maximum expiration—are impacted. Nevertheless, there are more than 800,000 active installations, which increases the possibility of incorrectly configured setups. Versions Affected by CVE ID CVSS Score Patched Version Researcher CVE-2026-1357 9.8 (Critical) <= 0.9.123 0.9.124 NiRoX's Lucas Montes Technical Issues and Solutions The plugin uses a site-specific private key in the send_to_site() function to decrypt POST data.

In the event of failure, the false AES key is passed, and null bytes that are predictable to attackers are used for Rijndael encryption. Because uploaded filenames are not sanitized, they can be escaped from the backup directory to locations that are accessible online. The decrypt_message() method acts mindlessly, omitting checks for unsuccessful decryption.

PHP shells can exploit the lack of file-type validation during upload. Bypassing auth if the key feature is enabled, attackers use wpvivid_content to send specially crafted base64-encoded content. In order to stop invalid flows, developers added the if ($key === false || empty($key)) { return false; } statement to decrypt_message() in 0.9.124. Additionally, they used in_array checks and preg_replace sanitization to enforce extensions like zip, gz, tar, and sql in send_to_site().

Wordfence is the source of the WordPress Backup Plugin Exploit. Firewall rules were sent to Wordfence Premium, Care, and Response users on January 22, 2026; free users received them on February 21. Through the program, which pays up to $31,200 per find, researcher Lucas Montes received $2,145.

Timeline for Disclosure After receiving the report on January 12, 2026, Wordfence verified it and got in touch with WPvivid on January 22. On January 23, the vendor sent an email with details, and on January 28, the issue was fixed. Post-fix bounty paid; 30-day delay for free protection per policy. Wordfence is the source of the WordPress Backup Plugin Exploit.

Users need to update to 0.9.124 from wordpress.org/plugins/wpvivid-backuprestore/ right away. If the receive key is not being used, turn it off. Because RCEs can result in data theft, defacement, or backdoors, Wordfence strongly advises sharing this warning.

Wordfence's bug bounty program manages disclosures for free and contributes to ecosystem security. You can submit findings at wordfence.com/threat-intel/vulnerabilities/submit/. WordPress resilience is increased by these multi-layer defenses, firewalls, patches, and research.