An unauthenticated attacker may be able to upload files and execute code on the server due to a serious vulnerability in the WPvivid Backup & Migration WordPress plugin, which frequently results in a complete site takeover This article explores vulnerability wpvivid backup. . Tracked as CVE-2026-1357, the issue has a score of 9.8 (Critical), impacts plugin versions up to and including 0.9.123, and has a fix in 0.9.124.

Since the feature is disabled by default and the key can expire in a maximum of 24 hours, the most serious risk only arises when a site has activated WPvivid's "receive a backup from another site" feature by generating a key in the plugin settings. Attackers can target the backup-receiving endpoint in the vulnerable flow and initiate the upload path linked to the wpvivid_action=send_to_site parameter.

The vulnerability, according to Wordfence researchers, stems from a crypto error-handling error and unsafe file-path handling, which together allow for remote code execution and arbitrary PHP uploads. How the upload process operates Attackers can create data that the server will accept by using a false value that, in effect, turns into a predictable "all null bytes" key in the AES/Rijndael routine when RSA decryption fails during message processing. Additionally, the plugin allowed filenames from the decrypted payload without being properly sanitized, allowing directory traversal to allow a file to evade the backup directory and end up in a location that is accessible over the internet.

In version 0.9.124, WPvivid resolved the problem by limiting uploads to expected backup extensions (like zip, gz, tar, and sql) and ceasing processing when the decrypted key is empty or false.

Vulnerability in Field Details Unauthorized arbitrary file upload → RCE CVE / CVSS CVE-2026-1357 / 9.8 (Critical) Affected versions ≤ 0.9.123 Version 0.9.124 of the patch Take advantage of the situation Receive-backup generated key enabled; maximum expiration time of 24 hours Wpvivid_action=send_to_site upload path is the primary attack surface. Root cause: path traversal/unsanitized names + RSA decrypt failure not stopping Update to 0.9.124, rotate any generated keys, disable the receive-backup key when not in use, and check the web root for any unexpected PHP files created around the enabled-key window. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.