WPvivid Backup & Migration plugin security update 0.9.124 (CVE-2026-1357)
Security Patch Release
Summary
Hide ▲
Show ▼
WPVividPlugins released version 0.9.124 on January 28 to fix CVE-2026-1357 in the WPvivid Backup & Migration plugin for WordPress. The patch closes a critical remote code execution path that could let attackers upload arbitrary files without authentication and potentially take over affected sites. It applies to plugin versions up to 0.9.123, and administrators should upgrade as soon as possible.
Related Happenings
Squid web proxy patch for CVE-2026-47729
Security Patch Release
H score20
First: 22.06.2026 17:29
Last: 22.06.2026 17:29
Sources 1
About this happening:
**Squid maintainers** merged a **null-terminator check** for **CVE-2026-47729** into the **development branch** and **v7**, closing the FTP-parser over-read that could expose shar...
Squid web proxy patch for CVE-2026-47729
Security Patch ReleaseAbout this happening: **Squid maintainers** merged a **null-terminator check** for **CVE-2026-47729** into the **development branch** and **v7**, closing the FTP-parser over-read that could expose shar...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch Release
H score16
First: 20.06.2026 12:56
Last: 20.06.2026 12:56
Sources 1
About this happening:
**Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch ReleaseAbout this happening: **Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
**F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
Everest Forms Pro plugin patch for CVE-2026-3300
Security Patch Release
H score43
First: 06.06.2026 17:09
Last: 06.06.2026 17:09
Sources 1
About this happening:
The **Everest Forms developer** released a patch for **CVE-2026-3300** in **Everest Forms Pro** on **March 18**, closing an **unauthenticated arbitrary code execution** flaw affec...
Everest Forms Pro plugin patch for CVE-2026-3300
Security Patch ReleaseAbout this happening: The **Everest Forms developer** released a patch for **CVE-2026-3300** in **Everest Forms Pro** on **March 18**, closing an **unauthenticated arbitrary code execution** flaw affec...
Nginx security patch release for CVE-2026-49975
Security Patch Release
H score42
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Nginx security patch release for CVE-2026-49975
Security Patch ReleaseAbout this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Timeline
-
12.02.2026 19:09 1 articles · 4mo ago
Vulnerability reported to Defiant
Initial DisclosureResearcher Lucas Montes (NiRoX) reported a critical vulnerability in the WPvivid Backup & Migration plugin for WordPress to Defiant, starting the handling of CVE-2026-1357 as an unauthenticated arbitrary file upload flaw that could lead to remote code execution and site takeover.
Show sources
- WordPress plugin with 900k installs vulnerable to critical RCE flaw — www.bleepingcomputer.com — 12.02.2026 19:09
-
12.02.2026 19:09 1 articles · 4mo ago
Vendor notified after proof-of-concept validation
Technical Analysis UpdateAfter validating the proof-of-concept exploit for CVE-2026-1357, Defiant notified WPVividPlugins about a critical flaw in the WPvivid Backup & Migration plugin that could permit arbitrary file upload without authentication and remote code execution.
Show sources
- WordPress plugin with 900k installs vulnerable to critical RCE flaw — www.bleepingcomputer.com — 12.02.2026 19:09
-
12.02.2026 19:09 2 articles · 4mo ago
Patch released in version 0.9.124
Mitigation Patch UpdateWPVividPlugins released version 0.9.124 for the WPvivid Backup & Migration plugin, adding checks that stop execution if RSA decryption fails, sanitizing uploaded file names, and restricting uploads to allowed backup file types such as ZIP, GZ, TAR, and SQL.
Show sources
- WordPress plugin with 900k installs vulnerable to critical RCE flaw — www.bleepingcomputer.com — 12.02.2026 19:09
- WordPress plugin with 900k installs vulnerable to critical RCE flaw — www.bleepingcomputer.com — 12.02.2026 19:09
-
12.02.2026 02:00 1 articles · 4mo ago
Public disclosure of CVE-2026-1357
Technical Analysis UpdatePublic disclosure identified CVE-2026-1357 as a critical remote code execution flaw in the WPvivid Backup & Migration plugin for WordPress, affecting all versions up to 0.9.123 and posing higher risk to sites with the non-default receive backup from another site option enabled.
Show sources
- WordPress plugin with 900k installs vulnerable to critical RCE flaw — www.bleepingcomputer.com — 12.02.2026 19:09