Unauthenticated Arbitrary File Upload in WPvivid Backup & Migration Plugin by WordPress
CVE-2026-1357

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Migration, Backup, Staging – WPvivid Backup & Migration
Vendor
CVE Published:
11 February 2026

Badges

πŸ“ˆ Score: 300πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2026-1357?

CVE-2026-1357 is a significant security vulnerability found in the WPvivid Backup & Migration plugin for WordPress, which is widely used for managing backups and site migrations. This vulnerability arises from improper error handling during the RSA decryption process in the plugin combined with inadequate sanitization of file paths. Specifically, when the decryption of a session key fails, the plugin erroneously continues execution, allowing malicious actors to upload arbitrary files by exploiting the lack of validation in the handling of filenames. This potentially enables unauthenticated attackers to upload malicious PHP files into publicly accessible directories, resulting in Remote Code Execution (RCE). Given that this plugin is integrated into many WordPress installations, the exploitation of this vulnerability could lead to severe consequences for organizations, including unauthorized access to their web applications.

Potential impact of CVE-2026-1357

  1. Remote Code Execution: The most critical impact of CVE-2026-1357 is the ability for attackers to achieve Remote Code Execution on affected systems. This allows unauthorized users to run arbitrary code, leading to further exploitation of the server.

  2. Unauthorized Access: The vulnerability permits unauthenticated attackers to upload files without authentication. This lack of access control could lead to compromised sites, data theft, or manipulation of web applications.

  3. Website Defacement and Malware Distribution: Exploitation of this vulnerability could result in website defacement, injecting malicious scripts, or distributing malware, which can harm users and damage an organization's reputation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Migration, Backup, Staging – WPvivid Backup & Migration * <= 0.9.123

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-1357
Created by halilkirazkaya

POC-CVE-2026-1357
Created by LucasM0ntes

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wpvivid-backup...
https://plugins.trac.wordpress.org/browser/wpvivid-backup...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lucas Montes
JSON
.