CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical RCE vulnerability in WPvivid Backup & Migration plugin

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical remote code execution (RCE) vulnerability (CVE-2026-1357) in the WPvivid Backup & Migration plugin for WordPress, installed on over 900,000 websites, allows unauthenticated attackers to upload arbitrary files. The flaw, rated 9.8 in severity, affects versions up to 0.9.123 and can lead to complete website takeover. The vulnerability stems from improper error handling in RSA decryption and lack of path sanitization, enabling directory traversal and malicious PHP file uploads. The issue is mitigated by a 24-hour exploitation window and the need for the 'receive backup from another site' option to be enabled. A patch (version 0.9.124) was released on January 28, 2026, addressing the flaw by improving error handling, filename sanitization, and restricting uploads to specific file types.

Timeline

  1. 12.02.2026 19:09 1 articles · 5h ago

    Critical RCE vulnerability in WPvivid Backup & Migration plugin disclosed and patched

    A critical remote code execution (RCE) vulnerability (CVE-2026-1357) in the WPvivid Backup & Migration plugin for WordPress, affecting versions up to 0.9.123, was disclosed and patched. The flaw, rated 9.8 in severity, allows unauthenticated attackers to upload arbitrary files and achieve remote code execution. The vulnerability was reported by researcher Lucas Montes (NiRoX) on January 12, 2026, and a patch (version 0.9.124) was released on January 28, 2026, addressing the issue by improving error handling, filename sanitization, and restricting uploads to specific file types.

    Show sources
    Open in new tab

Information Snippets