On February 12, 2026, cybersecurity researchers disclosed a critical remote code execution (RCE) vulnerability, tracked as CVE-2026-1357, affecting the popular WPvivid Backup & Migration plugin for WordPress. This flaw has significant implications given that the plugin is installed on over 900,000 WordPress sites worldwide, used primarily for backups, migrations, and staging workflows.
Technical Summary
- Vulnerability ID: CVE-2026-1357
- Severity: Critical (CVSS v3.1 score: 9.8)
- Affected Software: WPvivid Backup & Migration plugin, ≤ 0.9.123
- Impact: Unauthenticated arbitrary file upload → remote code execution
- Fixed In: Version 0.9.124 (released Jan 28, 2026)
What’s the Underlying Flaw?
At a high level, CVE-2026-1357 arises from two interrelated weaknesses in the plugin’s code:
1. Improper Error Handling in Cryptographic Decryption
The plugin uses RSA decryption (openssl_private_decrypt()) to process session keys when receiving backups from other sites. When the function fails, instead of terminating cleanly, the plugin continues execution and passes a boolean false value to the AES decryption routine used later.
In PHP’s cryptographic library (phpseclib), a false input is interpreted as a string of null bytes. This predictable output effectively means an attacker can craft an AES key that is trivial to guess — undermining the entire encrypted session mechanism.
2. Lack of Path and Filename Sanitization
Once the session key processing is flawed, filename validation is virtually nonexistent. Specifically:
- Uploaded backup file names are accepted without proper sanitization.
- This enables directory traversal attacks, allowing an attacker to place uploaded files outside of the intended backup storage paths.
A malicious actor can exploit this to write arbitrary PHP files into web-accessible directories and then invoke them via HTTP — a classic Remote Code Execution (RCE) vector.
Exploitation Conditions
While the vulnerability is serious, certain conditions affect practical exploitability:
- The critical attack surface is associated with the “receive backup from another site” feature, which is not enabled by default.
- Attackers must generate a valid signing key linked to this feature, which is accepted for 24 hours — giving a relatively narrow window per key.
However, because site administrators commonly activate this feature during migration or staging tasks, real-world exposure remains high.
Remediation & Mitigation
Official Patch
The vendor released WPvivid Backup & Migration v0.9.124, which contains the following key fixes:
- Adds termination on RSA decryption failure to prevent injection of predictable keys.
- Implements strict sanitization of uploaded filenames.
- Restricts uploads to a whitelist of known backup formats (e.g.,
.zip,.tar,.sql).
Action Required: All WordPress administrators using this plugin should immediately update to v0.9.124 or later.
Why This Matters
Remote code execution vulnerabilities like CVE-2026-1357 are among the most dangerous classes of flaws in web applications:
- An attacker doesn’t need valid credentials or elevated privileges (i.e., unauthenticated access).
- Exploitation can lead to full site takeover — including defacement, malware injection, staff email compromise, and lateral movement within hosting environments.
- Given WordPress’s dominant market share on the web, a flaw in a plugin with nearly a million active installs can quickly translate into a large botnet of vulnerable sites.
Developer & Security Takeaways
From a secure development perspective:
- Always validate and sanitize user inputs, especially filenames and paths.
- Never ignore error handling on critical cryptographic functions — their output directly influences security decisions.
- Applying least privilege principles to sensitive features (like cross-site backup reception) can minimize blast radius during exploitation.
