Critical Unauthenticated File Upload RCE in WPvivid Backup & Migration (CVE-2026-1357)
A critical vulnerability in the WordPress plugin WPvivid Backup & Migration (aka Migration, Backup, Staging – WPvivid Backup & Migration) allows unauthenticated arbitrary file upload leading to remote code execution (RCE) on affected sites. Tracked as CVE-2026-1357 with CVSS 9.8, the issue impacts plugin versions <= 0.9.123 and is tied to the plugin’s remote transfer functionality (send_to_site() / wpvivid_action=send_to_site), which processes incoming backup data from other sites.
Technical details indicate the exploit chain combines broken cryptographic error handling with unsafe file write behavior: when openssl_private_decrypt() fails, execution continues and a false value is passed into AES initialization, which is treated as a predictable null-byte key. Attackers can craft payloads encrypted with this null-byte key to bypass intended protections, then leverage missing file validation (and reported lack of filename/path sanitization enabling directory traversal) to write attacker-controlled files (e.g., PHP web shells) into web-accessible locations, enabling full site takeover and data access (including database contents).
Timeline
Feb 16, 2026
Nuclei template pull request adds CVE-2026-1357 detection logic
A ProjectDiscovery Nuclei templates pull request proposed detection for vulnerable WPvivid instances by checking plugin version and probing the send_to_site endpoint for a WPvivid-specific error response. The submission also documented a locally validated exploit chain using the fail-open crypto condition and path traversal to place a web-accessible file.
Feb 12, 2026
Technical details of the flaw and patch are published
Subsequent reporting detailed the root cause as RSA decryption error handling that could fall back to a predictable null-byte AES key, combined with unsafe path handling that enabled directory traversal and PHP upload. Coverage also described the vendor patch behavior and mitigation guidance such as upgrading, rotating keys, and checking for unexpected PHP files.
Feb 11, 2026
Wordfence reports observing and blocking attack activity
Wordfence said it had observed and blocked attacks targeting CVE-2026-1357, indicating active probing or exploitation attempts following disclosure. The activity was tied to the vulnerable send_to_site functionality.
Feb 11, 2026
CVE-2026-1357 is publicly disclosed
Public reporting disclosed CVE-2026-1357 as a critical unauthenticated arbitrary file upload vulnerability in WPvivid Backup & Migration, enabling remote code execution on sites using affected versions up to 0.9.123. Reports noted the highest risk applied when the non-default site-to-site backup receiving feature was enabled.
Jan 28, 2026
WPVividPlugins releases version 0.9.124 to fix CVE-2026-1357
WPVividPlugins released WPvivid Backup & Migration version 0.9.124 to address the vulnerability. The fix added decryption-failure checks, filename sanitization, and file-type restrictions on uploads.
Jan 22, 2026
Defiant validates PoC and notifies WPVividPlugins
After validating a proof-of-concept for the WPvivid vulnerability, Defiant notified the vendor WPVividPlugins about the issue. This advanced coordinated disclosure of the flaw affecting versions up to 0.9.123.
Jan 12, 2026
Researcher Lucas Montes reports WPvivid flaw to Defiant
Researcher Lucas Montes (NiRoX) reported a critical unauthenticated file upload and remote code execution flaw in the WPvivid Backup & Migration WordPress plugin to Defiant. The issue later became tracked as CVE-2026-1357.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
1 more from sources like cvefeed high severity
Related Stories
Critical File Upload Flaws Expose WordPress Plugins to Remote Code Execution
Multiple WordPress plugins were found vulnerable to **unauthenticated arbitrary file upload** flaws that can lead to remote code execution and full site compromise. The most urgent case involves the **Breeze Cache** plugin, where **CVE-2026-3844** affects versions through `2.4.4` when the optional **"Host Files Locally - Gravatars"** feature is enabled. Researchers said the bug stems from missing file-type validation in the `fetch_gravatar_from_remote` function, and BleepingComputer reported that attackers are already exploiting the issue in the wild, with Wordfence observing more than 170 attack attempts. Cloudways released a fix in version `2.4.5`, and defenders were urged to update immediately or disable the Gravatar-related feature until patching is complete. Two additional **Contact Form 7** upload extensions were also disclosed with critical upload weaknesses. **CVE-2026-5718** affects **Drag and Drop Multiple File Upload for Contact Form 7** through `1.3.9.6`, where custom blacklist handling can override the default dangerous-extension denylist and a non-ASCII filename trick can bypass sanitization, allowing attackers to upload PHP files. **CVE-2026-5364** affects **Drag and Drop File Upload for Contact Form 7** through `1.1.3`, where the plugin validates an unsanitized extension but saves a sanitized one, enabling bypasses using special characters such as `$`; researchers noted that `.htaccess` protections and filename randomization may reduce real-world exploitability. Together, the disclosures highlight a broader pattern of insecure file validation in WordPress upload plugins.
1 weeks ago
Critical Unauthenticated RCE Vulnerability in W3 Total Cache WordPress Plugin (CVE-2025-9501)
A critical vulnerability (CVE-2025-9501) has been identified in the W3 Total Cache WordPress plugin, affecting versions prior to 2.8.13. This flaw allows unauthenticated attackers to execute arbitrary PHP commands on affected sites by submitting a specially crafted comment, exploiting the `_parse_dynamic_mfunc` function. The vulnerability has been assigned a CVSS score of 9.0, indicating a high risk of remote code execution, and potentially impacts up to 1 million WordPress sites using the vulnerable plugin version. Security researchers warn that exploitation of this vulnerability could allow attackers to fully compromise WordPress installations without authentication, leading to site defacement, data theft, or further malware deployment. Administrators are strongly advised to update W3 Total Cache to version 2.8.13 or later to mitigate the risk, as the vulnerability is remotely exploitable and poses a significant threat to a large number of websites.
1 months ago
Critical WordPress Form Plugin Flaws Enable Unauthenticated Server Compromise
Two high-severity vulnerabilities were disclosed in widely used WordPress form plugins, exposing sites to unauthenticated attacks that can lead to full server compromise. **CVE-2026-4347** affects **MW WP Form** through version `5.1.0` and stems from insufficient file path validation in `generate_user_filepath` and `move_temp_file_to_upload_dir`. An attacker can move arbitrary files on the server without authentication, and if a sensitive file such as `wp-config.php` is relocated, the flaw can be leveraged for remote code execution. Exploitation requires a form with a file upload field and the **Saving inquiry data in database** option enabled; the issue is tracked as **CWE-22**.
3 weeks ago