Critical Unauthenticated File Upload RCE in WPvivid Backup & Migration (CVE-2026-1357)
A critical vulnerability in the WordPress plugin WPvivid Backup & Migration (aka Migration, Backup, Staging – WPvivid Backup & Migration) allows unauthenticated arbitrary file upload leading to remote code execution (RCE) on affected sites. Tracked as CVE-2026-1357 with CVSS 9.8, the issue impacts plugin versions <= 0.9.123 and is tied to the plugin’s remote transfer functionality (send_to_site() / wpvivid_action=send_to_site), which processes incoming backup data from other sites.
Technical details indicate the exploit chain combines broken cryptographic error handling with unsafe file write behavior: when openssl_private_decrypt() fails, execution continues and a false value is passed into AES initialization, which is treated as a predictable null-byte key. Attackers can craft payloads encrypted with this null-byte key to bypass intended protections, then leverage missing file validation (and reported lack of filename/path sanitization enabling directory traversal) to write attacker-controlled files (e.g., PHP web shells) into web-accessible locations, enabling full site takeover and data access (including database contents).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Nuclei template pull request adds CVE-2026-1357 detection logic
A ProjectDiscovery Nuclei templates pull request proposed detection for vulnerable WPvivid instances by checking plugin version and probing the send_to_site endpoint for a WPvivid-specific error response. The submission also documented a locally validated exploit chain using the fail-open crypto condition and path traversal to place a web-accessible file.
Technical details of the flaw and patch are published
Subsequent reporting detailed the root cause as RSA decryption error handling that could fall back to a predictable null-byte AES key, combined with unsafe path handling that enabled directory traversal and PHP upload. Coverage also described the vendor patch behavior and mitigation guidance such as upgrading, rotating keys, and checking for unexpected PHP files.
Wordfence reports observing and blocking attack activity
Wordfence said it had observed and blocked attacks targeting CVE-2026-1357, indicating active probing or exploitation attempts following disclosure. The activity was tied to the vulnerable send_to_site functionality.
CVE-2026-1357 is publicly disclosed
Public reporting disclosed CVE-2026-1357 as a critical unauthenticated arbitrary file upload vulnerability in WPvivid Backup & Migration, enabling remote code execution on sites using affected versions up to 0.9.123. Reports noted the highest risk applied when the non-default site-to-site backup receiving feature was enabled.
WPVividPlugins releases version 0.9.124 to fix CVE-2026-1357
WPVividPlugins released WPvivid Backup & Migration version 0.9.124 to address the vulnerability. The fix added decryption-failure checks, filename sanitization, and file-type restrictions on uploads.
Defiant validates PoC and notifies WPVividPlugins
After validating a proof-of-concept for the WPvivid vulnerability, Defiant notified the vendor WPVividPlugins about the issue. This advanced coordinated disclosure of the flaw affecting versions up to 0.9.123.
Researcher Lucas Montes reports WPvivid flaw to Defiant
Researcher Lucas Montes (NiRoX) reported a critical unauthenticated file upload and remote code execution flaw in the WPvivid Backup & Migration WordPress plugin to Defiant. The issue later became tracked as CVE-2026-1357.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Add CVE-2026-1357 WPvivid Backup & Migration RCE detection by radraccoon · Pull Request #15359 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceCritical vulnerability in WPvivid backup plugin allows remote code execution | SC Media
scworld.com
Open sourceWordpress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks
cybersecuritynews.com
Open sourceWordPress plugin with 900k installs vulnerable to critical RCE flaw
bleepingcomputer.com
Open sourceNull Byte Nightmare: Critical WPvivid Backup Flaw (CVSS 9.8) Exposes 800K WordPress Sites
securityonline.info
Open sourceCVE-2026-1357 - Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical File Upload Flaws Expose WordPress Plugins to Remote Code Execution
Multiple WordPress plugins were found vulnerable to **unauthenticated arbitrary file upload** flaws that can lead to remote code execution and full site compromise. The most urgent case involves the **Breeze Cache** plugin, where **CVE-2026-3844** affects versions through `2.4.4` when the optional **"Host Files Locally - Gravatars"** feature is enabled. Researchers said the bug stems from missing file-type validation in the `fetch_gravatar_from_remote` function, and BleepingComputer reported that attackers are already exploiting the issue in the wild, with Wordfence observing more than 170 attack attempts. Cloudways released a fix in version `2.4.5`, and defenders were urged to update immediately or disable the Gravatar-related feature until patching is complete. Two additional **Contact Form 7** upload extensions were also disclosed with critical upload weaknesses. **CVE-2026-5718** affects **Drag and Drop Multiple File Upload for Contact Form 7** through `1.3.9.6`, where custom blacklist handling can override the default dangerous-extension denylist and a non-ASCII filename trick can bypass sanitization, allowing attackers to upload PHP files. **CVE-2026-5364** affects **Drag and Drop File Upload for Contact Form 7** through `1.1.3`, where the plugin validates an unsanitized extension but saves a sanitized one, enabling bypasses using special characters such as `$`; researchers noted that `.htaccess` protections and filename randomization may reduce real-world exploitability. Together, the disclosures highlight a broader pattern of insecure file validation in WordPress upload plugins.
Apr 24, 2026
Active Exploitation of UpdraftPlus Auth Bypass Enables WordPress Site Takeover
A critical authentication bypass in the **UpdraftPlus: WP Backup & Migration** WordPress plugin, tracked as `CVE-2026-10795`, is being actively exploited against sites running versions up to and including `1.26.4`. The flaw affects a plugin installed on more than three million WordPress sites and stems from insufficient validation in UpdraftCentral remote procedure call handling, including signature-verification weaknesses and unchecked decryption return values that can collapse to a predictable all-zero key. Wordfence reported blocking **4,987** exploitation attempts in a 24-hour period. Successful exploitation lets unauthenticated attackers impersonate the connected administrator and issue arbitrary RPC actions, including uploading and auto-activating a malicious plugin for **remote code execution** and full site compromise. The vulnerability has been classified under `CWE-347`, with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`. The issue was reportedly discovered by researcher **vtim**, and the vendor released a patch that adds stricter return-value validation; administrators are being urged to update immediately.
Jun 18, 2026
Critical Unauthenticated RCE Vulnerability in W3 Total Cache WordPress Plugin (CVE-2025-9501)
A critical vulnerability (CVE-2025-9501) has been identified in the W3 Total Cache WordPress plugin, affecting versions prior to 2.8.13. This flaw allows unauthenticated attackers to execute arbitrary PHP commands on affected sites by submitting a specially crafted comment, exploiting the `_parse_dynamic_mfunc` function. The vulnerability has been assigned a CVSS score of 9.0, indicating a high risk of remote code execution, and potentially impacts up to 1 million WordPress sites using the vulnerable plugin version. Security researchers warn that exploitation of this vulnerability could allow attackers to fully compromise WordPress installations without authentication, leading to site defacement, data theft, or further malware deployment. Administrators are strongly advised to update W3 Total Cache to version 2.8.13 or later to mitigate the risk, as the vulnerability is remotely exploitable and poses a significant threat to a large number of websites.
Mar 21, 2026