- WPvivid Backup & Migration plugin vulnerable to critical RCE flaw CVE-2026-1357
- Exploitation requires “receive backup from another site” option enabled, with 24-hour attack window
- Patch released in version 0.9.123 (Jan 28); users urged to upgrade immediately
WPvivid Backup & Migration, a WordPress plugin with almost a million installs, is vulnerable to a critical-severity flaw that allows threat actors to run malicious code remotely.
Although it sounds ominous, the bug has a few limitations that make exploitation somewhat difficult.
The affected WordPress plugin lets users create site backups, restore them, and migrate sites to new domains or hosts. The core features are available for free, with optional premium upgrades for more advanced functions. It currently counts more than 900,000 active installations and more than 20,000 customers.
Exploiting and patching
However security researchers Defiant found the plugin suffers from improper error handling in the RSA decryption process, combined with a lack of path sanitization. As a result, threat actors could upload arbitrary files to the server without authentication, achieving remote code execution (RCE).
The bug is tracked as CVE-2026-1357 and has a severity score of 9.8/10 (critical). It affects all versions up to 0.9.123, which was released on January 28.
While all users are advised to upgrade to a safe version as soon as possible, exploiting this vulnerability is not as easy as it sounds. Only sites that have “receive backup from another site” option enabled are vulnerable, and this feature is not turned on by default.
What’s more, the miscreants only have 24 hours to attack, given that the key the other sites need to send backup files expires after a day.
Unfortunately, there is no way to tell exactly how many, of the 900,000 active installations, are vulnerable. The official WordPress plugin website only shows installations of version 0.9, without further segmentation. It does state that since January 28, the day of the patch, up until today, the plugin was downloaded roughly 200,000 times.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
