• Home
  • cyber
  • WPvivid: WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks
cyber Vulnerability

WPvivid: WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks

Jan 22, 2026 2 min read
WPvivid: WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks

Critical RCE Vulnerability in WPvivid Backup Plugin Exposes 800,000+ WordPress Sites

A severe remote code execution (RCE) vulnerability in the WPvivid Backup & Migration plugin tracked as CVE-2026-1357 (CVSS 9.8) has left over 800,000 WordPress websites vulnerable to complete takeover. The flaw, discovered by security researcher Lucas Montes (NiRoX) and reported via the Wordfence Bug Bounty Program, enables unauthenticated attackers to upload arbitrary files and execute malicious PHP code on affected sites.

The vulnerability stems from improper error handling in the plugin’s RSA decryption process and missing file path sanitization. When decryption fails, the plugin passes a false value into the AES cipher initialization, which the crypto library interprets as a string of null bytes. This predictable key allows attackers to encrypt payloads and bypass security controls. Additionally, unsanitized filenames permit directory traversal, letting threat actors write files to publicly accessible locations outside the backup directory.

Exploitation occurs via the wpvivid_action=send_to_site parameter, which attackers can abuse to upload and execute arbitrary PHP files, leading to full site compromise. While the most critical exposure affects sites with the remote backup feature enabled (disabled by default and limited to a 24-hour key lifetime), all unpatched installations remain at risk.

The vendor, WPvivid, released a patch (version 0.9.124) on January 28, 2026, after being notified on January 22. The fix introduces an empty check for decryption failures and enforces strict file extension validation to block malicious uploads. Wordfence deployed a firewall rule for paid customers on January 22, with free users gaining protection on February 21, 2026.

Montes received a $2,145 bounty for the disclosure, highlighting the role of bug bounty programs in improving WordPress plugin security. Site owners are advised to update to version 0.9.124 or later immediately to mitigate the risk.

Source: https://gbhackers.com/wordpress-backup-plugin-vulnerability/

Ploogins cybersecurity rating report: https://www.rankiteo.com/company/ploogins

"id": "PLO1770889816",
"linkid": "ploogins",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Web Development, Content Management',
                        'name': 'WPvivid Backup & Migration plugin users',
                        'size': '800,000+ sites',
                        'type': 'WordPress websites'}],
 'attack_vector': 'Unauthenticated file upload via '
                  '`wpvivid_action=send_to_site` parameter',
 'customer_advisories': 'Site owners advised to update to version 0.9.124 or '
                        'later.',
 'data_breach': {'file_types_exposed': 'PHP files'},
 'date_detected': '2026-01-22',
 'date_resolved': '2026-01-28',
 'description': 'A severe remote code execution (RCE) vulnerability in the '
                'WPvivid Backup & Migration plugin (CVE-2026-1357, CVSS 9.8) '
                'has left over 800,000 WordPress websites vulnerable to '
                'complete takeover. The flaw enables unauthenticated attackers '
                'to upload arbitrary files and execute malicious PHP code on '
                'affected sites due to improper error handling in the RSA '
                'decryption process and missing file path sanitization.',
 'impact': {'operational_impact': 'Full site compromise',
            'systems_affected': '800,000+ WordPress sites'},
 'investigation_status': 'Resolved',
 'post_incident_analysis': {'corrective_actions': 'Added empty check for '
                                                  'decryption failures and '
                                                  'enforced strict file '
                                                  'extension validation',
                            'root_causes': 'Improper error handling in RSA '
                                           'decryption process and missing '
                                           'file path sanitization'},
 'recommendations': 'Update to WPvivid Backup & Migration plugin version '
                    '0.9.124 or later immediately.',
 'references': [{'source': 'Wordfence Bug Bounty Program'}],
 'response': {'containment_measures': 'Firewall rule deployment by Wordfence '
                                      '(paid customers: 2026-01-22, free '
                                      'users: 2026-02-21)',
              'remediation_measures': 'Patch released (version 0.9.124) with '
                                      'empty check for decryption failures and '
                                      'strict file extension validation',
              'third_party_assistance': 'Wordfence Bug Bounty Program'},
 'title': 'Critical RCE Vulnerability in WPvivid Backup Plugin Exposes '
          '800,000+ WordPress Sites',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-1357'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.