- WPvivid Backup & Migration plugin vulnerable to critical RCE vulnerability CVE-2026-1357
- Exploitation requires enabling the “receive a backup from another site” option, with an attack window of 24 hours.
- Patch released in version 0.9.123 (January 28); users are advised to upgrade immediately
WPvivid Backup & Migration, a WordPress plugin with nearly 1 million installations, is vulnerable to a critical severity flaw that allows malicious actors to execute malicious code remotely.
Although this seems worrying, the bug has some limitations that make it somewhat difficult to exploit.
The affected WordPress plugin allows users to create site backups, restore them, and migrate sites to new domains or hosts. Basic features are available for free, with optional premium upgrades for more advanced functions. It currently has over 900,000 active installations and over 20,000 customers.
Operation and fixes
However, Defiant security researchers discovered that the plugin suffered from poor error handling in the RSA decryption process, combined with a lack of path sanitization. As a result, malicious actors could upload arbitrary files to the server without authentication, thereby achieving remote code execution (RCE).
The bug is tracked as CVE-2026-1357 and has a severity score of 9.8/10 (critical). This affects all versions up to 0.9.123, released on January 28.
Although all users are advised to upgrade to a secure version as soon as possible, exploiting this vulnerability is not as simple as it seems. Only sites that have the “receive a backup from another site” option enabled are vulnerable, and this feature is not enabled by default.
Additionally, attackers only have 24 hours to attack, since the key other sites need to send backup files expires after a day.
Unfortunately, there is no way to know exactly how many of the 900,000 active installations are vulnerable. The official WordPress plugin website only shows installations of version 0.9, without further segmentation. It says that since January 28, the day of the patch, until today, the plugin has been downloaded approximately 200,000 times.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
