Critical RCE Flaw Discovered in WPvivid Backup Plugin: Over 900K WordPress Sites at Risk

A severe security vulnerability has been uncovered in the widely-used WPvivid Backup & Migration plugin for WordPress, putting more than 900,000 websites at potential risk of complete compromise through remote code execution attacks.

The Vulnerability: CVE-2026-1357

Security researchers at Defiant have identified a critical flaw tracked as CVE-2026-1357, which received the maximum severity score of 9.8 out of 10. This vulnerability affects all versions of the plugin up to and including 0.9.123, making it one of the most significant WordPress security issues discovered in recent months.

The flaw allows unauthenticated attackers to upload arbitrary files to vulnerable WordPress installations, potentially leading to full website takeover. However, the impact is somewhat limited by specific configuration requirements.

Who’s at Risk?

According to Defiant’s analysis, only WordPress sites that have enabled the “receive backup from another site” option are critically vulnerable. This non-default setting is typically used when administrators need to migrate sites or transfer backups between different hosting environments.

The vulnerability creates a 24-hour exploitation window, corresponding to the validity period of the generated key required for other sites to send backup files. While this limitation reduces the immediate attack surface, the widespread use of WPvivid for site migrations means many administrators may enable this feature periodically.

Technical Breakdown: How the Attack Works

The vulnerability stems from a combination of improper error handling in RSA decryption and inadequate path sanitization. When the plugin’s openssl_private_decrypt() function fails during the backup reception process, it doesn’t properly halt execution. Instead, it passes the failed result (false) to the AES encryption routine.

This creates a predictable encryption key scenario where attackers can craft malicious payloads that the plugin will accept. Additionally, the plugin fails to properly sanitize uploaded file names, allowing directory traversal attacks that enable writing files outside the intended backup directory.

The most dangerous aspect is that attackers can upload malicious PHP files to achieve remote code execution, giving them complete control over the affected WordPress installation.

Timeline of Discovery and Response

The vulnerability was first reported to Defiant by security researcher Lucas Montes (NiRoX) on January 12, 2025. After validating the proof-of-concept exploit, Defiant notified the plugin vendor, WPVividPlugins, on January 22.

The vendor responded quickly, releasing version 0.9.124 on January 28, 2025, which includes comprehensive fixes for the identified issues. The security update addresses the vulnerability through multiple layers of protection:

• Added checks to halt execution if RSA decryption fails
• Implemented proper filename sanitization
• Restricted uploads to only allowed backup file types (ZIP, GZ, TAR, and SQL)
• Enhanced validation of incoming backup data

Immediate Actions Required

All users of the WPvivid Backup & Migration plugin should immediately upgrade to version 0.9.124 or later. Given the plugin’s popularity and the severity of the vulnerability, this represents a critical security update that should be prioritized.

Website administrators should also review their backup and migration configurations, particularly if they’ve enabled the “receive backup from another site” option. Even if this feature isn’t currently in use, it’s advisable to disable it until the site can be updated to the patched version.

Broader Implications for WordPress Security

This vulnerability highlights ongoing security challenges in the WordPress ecosystem, where popular plugins with large install bases can create widespread risk when security issues are discovered. The combination of backup functionality with migration capabilities creates complex attack surfaces that require careful security consideration.

The incident also demonstrates the importance of proper error handling in cryptographic operations and the need for comprehensive input validation in WordPress plugins that handle file uploads and external data.

What Makes This Vulnerability Particularly Concerning

Several factors make CVE-2026-1357 especially noteworthy:

1. The plugin’s massive install base of over 900,000 sites
2. The critical severity rating of 9.8
3. The potential for unauthenticated remote code execution
4. The combination of cryptographic and file handling vulnerabilities
5. The 24-hour exploitation window that, while limited, provides real opportunities for attackers

Looking Forward

As WordPress continues to dominate the content management system market, vulnerabilities in popular plugins will remain a significant security concern. This incident serves as a reminder for website administrators to maintain regular update schedules, monitor security advisories, and implement proper backup and migration security practices.

The quick response from both the security researchers and the plugin vendor demonstrates the effectiveness of responsible disclosure practices, but also underscores the ongoing need for vigilance in the WordPress security landscape.

Tags: WordPress security, RCE vulnerability, WPvivid plugin, CVE-2026-1357, backup plugin flaw, WordPress plugin vulnerability, remote code execution, website takeover, security patch, WordPress migration security, critical vulnerability, file upload vulnerability, directory traversal, RSA decryption flaw, AES encryption vulnerability

Viral Phrases: “900K WordPress sites at risk,” “critical RCE flaw discovered,” “complete website takeover possible,” “unauthenticated attackers can upload files,” “maximum severity 9.8,” “cryptographic error leads to disaster,” “backup plugin becomes security nightmare,” “24-hour window for exploitation,” “WordPress security crisis,” “patch now or risk compromise,” “plugin vulnerability affects hundreds of thousands,” “security researchers sound alarm,” “WordPress ecosystem under threat,” “backup functionality turns dangerous,” “immediate action required for site safety”

,