Full Report
A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress, installed on more than 900,000 websites, can be exploited to achieve remote code execution by uploading arbitrary files without authentication. [...]
Analysis Summary
# Vulnerability: WPvivid Backup & Migration Plugin Unauthenticated Remote Code Execution via File Upload
This summary details a critical vulnerability allowing unauthenticated RCE in the WPvivid Backup & Migration WordPress plugin.
## CVE Details
- CVE ID: CVE-2026-1357
- CVSS Score: 9.8 (Critical)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - Implied by RCE via path traversal/file upload to execute code)
## Affected Systems
- Products: WPvivid Backup & Migration plugin for WordPress
- Versions: All versions up to and including 0.9.123
- Configurations: Critically impacted sites are those with the non-default **“receive backup from another site”** option enabled. Exploitation is easier if this feature is active.
## Vulnerability Description
The vulnerability stems from two main flaws utilized in tandem: improper error handling during RSA decryption and lack of path sanitization for uploaded files.
1. **Improper Error Handling:** When the `_openssl_private_decrypt()` function fails, the plugin does not stop execution and incorrectly passes the failure value (`false`) to the AES (Rijndael) routine. The library interprets this false value as a string of null bytes, allowing the attacker to forge a predictable encryption key.
2. **Path Traversal/Arbitrary File Upload:** The failure to properly sanitize uploaded file names allows attackers to use directory traversal techniques to place malicious PHP files outside the expected backup directory, leading to Remote Code Execution (RCE).
## Exploitation
- Status: PoC available (Researcher reported having a proof-of-concept exploit)
- Complexity: Low (Requires unauthenticated access, but the nature of the flaw allows RCE if the specific configuration is in place.)
- Attack Vector: Network
## Impact
- Confidentiality: High (Full server compromise leading to data exfiltration)
- Integrity: High (Full control over the compromised website/server)
- Availability: High (Website can be taken offline, defaced, or used maliciously)
*Note: Researchers suggest a realistic exploitation window is limited to 24 hours, tied to the validity of a generated key when the vulnerable feature is active.*
## Remediation
### Patches
- **Upgrade to version 0.9.124** or later.
### Workarounds
- If immediate patching is impossible, administrators should ensure the **“receive backup from another site”** option is disabled in the WPvivid settings. (This mitigates the critical path to RCE, though other vulnerabilities might exist).
## Detection
- **Indicators of Compromise (IoCs):** Look for unsolicited file uploads or modifications within the plugin's target directories (or root directory via path traversal) ending in `.php` or other executable extensions, especially during periods where the "receive backup" feature was known to be active.
- **Detection Methods and Tools:** Security scanners capable of detecting directory traversal and unauthenticated file upload vulnerabilities should flag the operations within WPvivid plugin file handling routines prior to version 0.9.124.
## References
- Vendor Advisory: [Not explicitly linked, but patch available in v0.9.124]
- Relevant Links:
- NVD Entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2026-1357
- Plugin Page: hxxps://wordpress.org/plugins/wpvivid-backuprestore/#description