What is CVE-2026-1357?

A critical vulnerability exists in the WPvivid Backup & Migration plugin for WordPress, enabling unauthenticated arbitrary file uploads. Attackers can exploit this flaw to execute remote code. Immediate action is required to mitigate risk.

What is the severity of CVE-2026-1357?

CVE-2026-1357 has a severity rating of CRITICAL with a CVSS base score of 9.8.

CVE-2026-1357 | Critical Vulnerability in WPvivid Backup & Migration Plugin

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This vulnerability allows unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories, enabling Remote Code Execution. The severity level is critical with a CVSS score of 9.8, indicating a significant risk to organizations using this plugin.

The vulnerability stems from improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key, it does not terminate execution but instead passes a boolean false value to the phpseclib library's AES cipher initialization. This allows attackers to exploit the vulnerability by encrypting a malicious payload using a predictable null-byte key.

Furthermore, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This vulnerability has been categorized as CWE-434, which pertains to Unrestricted File Upload.

Organizations should prioritize patching immediately. The risk to organizations includes potential unauthorized access and execution of malicious code on affected WordPress installations.

Vulnerability Details

The WPvivid Backup & Migration plugin for WordPress is affected by a critical vulnerability characterized by Unauthenticated Arbitrary File Upload due to improper error handling and lack of path sanitization. The CVSS score of 9.8 signifies the severity of this issue. The vulnerability was disclosed on February 11, 2026, and affects versions up to and including 0.9.123.

Technical Analysis

The root cause of this vulnerability is the improper handling of error states during the RSA decryption process. When the decryption fails, the plugin does not cease execution, allowing the subsequent AES cipher initialization to process a boolean false value as a string of null bytes.

This vulnerability has a low attack complexity, requiring no privileges or user interaction. Attackers may leverage this flaw over a network, leading to high confidentiality, integrity, and availability impact.

Risk & Impact Analysis

The real-world deployment risk associated with CVE-2026-1357 is significant. Organizations utilizing the WPvivid Backup & Migration plugin must recognize that the vulnerability allows for the potential execution of arbitrary code, which can lead to data breaches and system compromise. The urgency of addressing this vulnerability is underscored by its high CVSS score and the potential for widespread exploitation.

Given the critical nature of this vulnerability, organizations should address it in their priority patch cycle to mitigate risks effectively.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerable versions range from all versions prior to vendor patch 0.9.124 of the WPvivid Backup & Migration plugin.

Mitigation & Remediation

Organizations should prioritize patching immediately. The vendor has released a patch to remediate this vulnerability. If the patch cannot be applied, organizations should consider implementing configuration hardening and network controls to restrict access to the affected plugin.

For further assistance, organizations can consult best practices for penetration testing as part of their security assessments.

Detection Guidance

Organizations should monitor logs for any unauthorized file uploads, particularly PHP files, and look for behavioral anomalies related to the WPvivid Backup & Migration plugin. They should also watch for any unexpected changes within the backup directories.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-1357 highlights the critical nature of proper error handling and file upload validation in web applications. This vulnerability underscores a pattern of security oversights that can lead to severe exploitation.

Security teams must prioritize rigorous testing and validation processes to mitigate similar vulnerabilities. For comprehensive security evaluations, organizations are encouraged to explore resources on penetration testing methodology and maintain an updated vulnerability management program to address and remediate emerging threats.

Ultimately, proactive measures and continuous security assessments are essential to defend against vulnerabilities like CVE-2026-1357.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-1357: Critical Vulnerability in WPvivid Backup & Migration Plugin for WordPress