- WPvivid Backup & Migration plugin vulnerable to critical RCE flaw CVE-2026-1357
- Exploitation requires “receive backup from another site” enabled, with 24-hour attack window
- Patch released in version 0.9.123 (January 28); users are encouraged to upgrade immediately
WPvivid Backup & Migration, a WordPress plugin with nearly one million installations, is vulnerable to a critical severity flaw that allows threat actors to run malicious code remotely.
While it sounds ominous, the bug has a few limitations that make exploitation somewhat difficult.
The affected WordPress plugin lets users create backup copies of websites, restore them, and migrate websites to new domains or hosts. The core features are available for free, with optional premium upgrades for more advanced features. It currently counts more than 900,000 active installations and more than 20,000 customers.
Exploitation and patching
However, security researchers Defiant found that the plugin suffers from improper error handling in the RSA decryption process, combined with a lack of path sanitization. As a result, threat actors could upload arbitrary files to the server without authentication and achieve remote code execution (RCE).
The bug is tracked as CVE-2026-1357 and has a severity score of 9.8/10 (Critical). It affects all versions up to 0.9.123, which was released on January 28.
Although all users are advised to upgrade to a secure version as soon as possible, exploiting this vulnerability is not as easy as it sounds. Only sites that have “receive backup from another site” enabled are vulnerable, and this feature is not turned on by default.
Furthermore, the attackers only have 24 hours to attack, as the key the other sites need to send backup files expires after one day.
Unfortunately, there is no way to tell exactly how many of the 900,000 active installations are vulnerable. The official WordPress plugin website only shows installations of version 0.9 without further segmentation. It says that since January 28, the day of the patch, until today, the plugin has been downloaded about 200,000 times.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
