A critical security vulnerability has been discovered in the WPvivid Backup & Migration plugin for WordPress, putting more than 900,000 websites at risk of complete takeover.
The flaw, tracked as CVE-2026-1357, has a CVSS severity score of 9.8, making it extremely dangerous. It affects all plugin versions up to 0.9.123 and allows attackers to upload arbitrary files without authentication, leading to remote code execution (RCE).
According to researchers at Defiant, the vulnerability mainly impacts sites where the “receive backup from another site” option is enabled. While this setting is disabled by default, it is commonly turned on during website migrations or backup transfers, even if only temporarily.
Attackers also face a 24-hour exploitation window, which is the validity period of the generated backup transfer key. This slightly limits mass exploitation, but security experts warn that many administrators unknowingly expose their sites during routine maintenance.
The issue was reported on January 12 by security researcher Lucas Montes (also known as NiRoX). The root cause lies in improper RSA decryption error handling combined with missing file path sanitization. When cryptographic decryption fails, the plugin continues execution instead of stopping, resulting in a predictable encryption key that attackers can abuse.
Additionally, the plugin failed to sanitize uploaded file names, enabling directory traversal attacks. This allows malicious PHP files to be written outside the backup directory, leading directly to server-side code execution.
Following responsible disclosure, WPVividPlugins released a security fix in version 0.9.124 on January 28. The update blocks execution on failed decryption, sanitizes file names, and restricts uploads to safe backup file formats such as ZIP, TAR, GZ, and SQL.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
What should site owners do?
Website administrators using WPvivid Backup & Migration are strongly advised to update to version 0.9.124 immediately. Leaving the plugin unpatched could allow attackers to gain full control of the website, including database access and file execution.
