CVE-2026-1357
Unauthenticated Arbitrary File Upload in WPvivid Backup Plugin Enables RCE
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpvivid | backuprestore | to 0.9.123 (inc) |
| wpvivid | backuprestore | 0.9.124 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WPvivid Backup & Migration plugin for WordPress (up to version 0.9.123) has a vulnerability that allows unauthenticated attackers to upload arbitrary files. This happens because the plugin improperly handles errors during RSA decryption and does not sanitize file paths when writing uploaded files.
Specifically, when the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not stop execution but passes a false value to the AES cipher initialization. The AES library treats this false as a predictable null-byte key, enabling attackers to encrypt malicious payloads.
Additionally, the plugin accepts filenames from the decrypted payload without sanitization, allowing directory traversal attacks to escape the protected backup directory. This combination lets attackers upload arbitrary PHP files to publicly accessible directories and execute remote code via a specific plugin parameter.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing unauthenticated attackers to upload arbitrary PHP files to your WordPress site.
Because the uploaded files can be placed in publicly accessible directories and executed remotely, attackers can achieve Remote Code Execution (RCE). This means they can run malicious code on your server without any authentication.
Such an exploit can lead to full site compromise, data theft, defacement, or use of your server for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability allows unauthenticated arbitrary file upload via the wpvivid_action=send_to_site parameter, enabling attackers to upload PHP files to publicly accessible directories and achieve remote code execution.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring HTTP POST requests to WordPress sites using the WPvivid Backup & Migration plugin, specifically looking for requests containing the parameter wpvivid_action=send_to_site or related actions such as send_to_site_connect, send_to_site_finish, send_to_site_file_status, or clear_backup_cache.'}, {'type': 'paragraph', 'content': 'Network or system administrators can use web server access logs or intrusion detection systems (IDS) to search for suspicious POST requests targeting these parameters.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST requests: grep -i 'wpvivid_action=send_to_site' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Searching for uploaded PHP files in backup directories that should not contain executable files: find /path/to/wp-content/uploads/wpvivid-backups -name '*.php'"}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests containing wpvivid_action parameters.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected file creation or modification in backup directories, especially files with PHP extensions, can help detect exploitation attempts.'}] [2, 5, 8]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the WPvivid Backup & Migration plugin to version 0.9.124 or later, which contains security fixes addressing CVE-2026-1357.'}, {'type': 'paragraph', 'content': 'The update enforces strict validation and sanitization of uploaded backup files, allowing only specific file extensions (zip, gz, tar, sql), and sanitizes file names to prevent directory traversal.'}, {'type': 'paragraph', 'content': 'Other mitigation measures include:'}, {'type': 'list_item', 'content': "Restricting access to the plugin's upload endpoints by IP address or authentication to prevent unauthenticated uploads."}, {'type': 'list_item', 'content': 'Monitoring and removing any suspicious PHP files uploaded to backup directories.'}, {'type': 'list_item', 'content': 'Implementing web application firewall (WAF) rules to block requests containing suspicious wpvivid_action parameters.'}, {'type': 'list_item', 'content': 'Disabling or removing the plugin if it is not actively used.'}, {'type': 'paragraph', 'content': 'The update also improves cryptographic key handling and prevents exposure of sensitive credentials in the admin UI, further enhancing security.'}] [3]