- WPvivid Backup & Migration plugin is vulnerable to critical RCE flaw CVE-2026-1357
- The exploit requires the “receive backup from another site” option enabled, with a 24-hour attack window
- Patch released in version 0.9.123 (January 28); Users are urged to update immediately.
WPvivid Backup & Migration, a WordPress plugin with nearly a million installations, is vulnerable to a critical flaw that allows threat actors to execute malicious code remotely.
Although it sounds sinister, the bug has some limitations that make it a bit difficult to exploit.
The affected WordPress plugin allows users to create site backups, restore them, and migrate sites to new domains or hosts. Core features are available for free, with optional premium upgrades for more advanced features. It currently has more than 900,000 active installations and more than 20,000 clients.
Exploitation and patching
However, security researchers at Defiant found that the plugin suffers from poor error handling in the RSA decryption process, combined with a lack of path sanitization. As a result, threat actors could upload arbitrary files to the server without authentication, achieving remote code execution (RCE).
The bug is tracked as CVE-2026-1357 and has a severity score of 9.8/10 (critical). It affects all versions up to 0.9.123, which was released on January 28.
While all users are recommended to upgrade to a secure version as soon as possible, exploiting this vulnerability is not as easy as it seems. Only sites that have the “receive backup from another site” option enabled are vulnerable and this feature is not enabled by default.
What’s more, bad actors only have 24 hours to attack, since the key that other sites need to send backup files expires every day.
Unfortunately, there is no way to know exactly how many of the 900,000 active installations are vulnerable. The official WordPress plugin website only shows installations of version 0.9, without further segmentation. It does state that from January 28, the day of the patch, to today, the add-on was downloaded approximately 200,000 times.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
