WordPress plugin with 900k installs vulnerable to critical RCE flaw

Source: Bleeping Computer

Vulnerability Overview

• Affected plugin: WPvivid Backup & Migration
• CVE: CVE‑2026‑1357
• Severity: 9.8 (critical)
• Versions impacted: ≤ 0.9.123
• Fixed in: 0.9.124 (released January 28, 2026)

Only sites that have the non‑default “receive backup from another site” option enabled are critically impacted. The exploitation window is limited to 24 hours, which is the validity period of the generated key required by other sites to send backup files.

Technical Details

1. Improper RSA error handling

   • When openssl_private_decrypt() fails, the plugin continues execution and passes the false result to the AES (Rijndael) routine.
   • The cryptographic library interprets this as a string of null bytes, producing a predictable encryption key that attackers can exploit.

2. Insufficient filename sanitization

   • Uploaded file names are not properly sanitized, allowing directory traversal.
   • This enables writing files outside the intended backup directory, including malicious PHP files that can be executed remotely.

These flaws together permit an attacker to craft a malicious payload that the plugin accepts, leading to arbitrary file upload and RCE.

Impact

• Remote Code Execution – Attackers can execute arbitrary PHP code on the compromised site.
• Full Site Takeover – With RCE, attackers can gain complete control over the WordPress installation.
• Limited Exposure Window – The 24‑hour key validity reduces the realistic attack surface, but the feature is commonly enabled during migrations or backups, making many sites vulnerable at some point.

Mitigation and Fix

• Update the plugin to version 0.9.124 or later, which includes:

  • A check that aborts execution if RSA decryption fails.
  • Proper filename sanitization.
  • Restriction of uploads to allowed backup file types only (ZIP, GZ, TAR, SQL).

• Disable the “receive backup from another site” option unless absolutely necessary.

• Monitor for suspicious file uploads and review server logs for unexpected activity.

References

• Plugin page:
• NVD entry for CVE‑2026‑1357:

Recommendation: Administrators using WPvivid Backup & Migration should upgrade to version 0.9.124 immediately and verify that the vulnerable feature is disabled unless required.