CVE-2026-1357: WordPress Plugin RCE Exposes Sites to Full Takeover

The WPvivid Backup & Migration plugin is one of the most popular tools for WordPress site owners, boasting more than 900,000 active installations worldwide. Its core function—transferring backup archives between servers—relies on a network‑exposed endpoint that, until now, assumed trusted traffic. CVE‑2026‑1357 shatters that assumption by granting any remote actor the ability to upload and execute arbitrary PHP code without credentials. With a CVSS base score of 9.8, the flaw ranks among the most severe WordPress‑related vulnerabilities seen in recent years, raising immediate alarm for administrators and hosting providers alike.

The exploit hinges on two coding oversights. First, the plugin mishandles RSA decryption failures, feeding a Boolean false into the AES routine and producing a predictable null‑byte key. Second, it neglects proper sanitization of filenames, allowing directory‑traversal sequences such as '../' to escape the intended backup folder. An attacker can craft a request to the `wpvivid_action=send_to_site` endpoint, trigger the decryption error, inject a malicious filename, and write a PHP web shell to a publicly reachable path. Because the endpoint is publicly accessible, automated scanners can weaponize the vulnerability at scale.

Mitigation is straightforward: upgrade to WPvivid version 0.9.124 or later, which implements strict error handling and path validation, and disable the receive‑backup feature when not in use. Organizations should also enforce network‑level restrictions, such as IP whitelisting and mandatory authentication, and deploy a Web Application Firewall that can detect anomalous file‑upload patterns. Solutions like AppTrana WAAP demonstrate how day‑zero protection can block exploitation attempts while patches are rolled out. The episode underscores the broader need for rigorous code review and continuous monitoring of third‑party plugins in the WordPress ecosystem.