Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WPvivid Backup & Migration plugin security update 0.9.124 (CVE-2026-1357)

Security Patch Release
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

WPVividPlugins released version 0.9.124 on January 28 to fix CVE-2026-1357 in the WPvivid Backup & Migration plugin for WordPress. The patch closes a critical remote code execution path that could let attackers upload arbitrary files without authentication and potentially take over affected sites. It applies to plugin versions up to 0.9.123, and administrators should upgrade as soon as possible.

Related Happenings

LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)

Security Patch Release
First: 27.05.2026 13:06 Last: 27.05.2026 13:06 Sources 1

About this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...

Open Happening

Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)

Security Patch Release
First: 15.05.2026 18:56 Last: 15.05.2026 18:56 Sources 1

About this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...

Open Happening

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Open Happening

F5 security patch release for CVE-2026-42945

Security Patch Release
First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...

Latest development: 17.05.2026 14:57

VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.

Open Happening

CPanel security patch release for CVE-2026-41940

Security Patch Release
First: 29.04.2026 12:37 Last: 29.04.2026 12:37 Sources 1

About this happening: **cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now cover...

Latest development: 04.05.2026 22:14

CVE-2026-41940 in cPanel, WebHost Manager (WHM), and WP Squared was rapidly exploited after public disclosure, with Censys reporting attacks from multiple threat actors within 24 hours and about 15,000 potentially compromised instances in the first day. KnownHost said about 30 managed cPanel servers showed attempted exploitation, WatchTowr Labs published a PoC exploit and technical analysis, and Defused said much of the observed activity copied WatchTowr's PoC exactly.

Open Happening

Timeline

  1. 12.02.2026 19:09 1 articles · 3mo ago

    Vulnerability reported to Defiant

    Initial Disclosure

    Researcher Lucas Montes (NiRoX) reported a critical vulnerability in the WPvivid Backup & Migration plugin for WordPress to Defiant, starting the handling of CVE-2026-1357 as an unauthenticated arbitrary file upload flaw that could lead to remote code execution and site takeover.

    Show sources
    Open in new tab
  2. 12.02.2026 19:09 1 articles · 3mo ago

    Vendor notified after proof-of-concept validation

    Technical Analysis Update

    After validating the proof-of-concept exploit for CVE-2026-1357, Defiant notified WPVividPlugins about a critical flaw in the WPvivid Backup & Migration plugin that could permit arbitrary file upload without authentication and remote code execution.

    Show sources
    Open in new tab
  3. 12.02.2026 19:09 2 articles · 3mo ago

    Patch released in version 0.9.124

    Mitigation Patch Update

    WPVividPlugins released version 0.9.124 for the WPvivid Backup & Migration plugin, adding checks that stop execution if RSA decryption fails, sanitizing uploaded file names, and restricting uploads to allowed backup file types such as ZIP, GZ, TAR, and SQL.

    Show sources
    Open in new tab
  4. 12.02.2026 02:00 1 articles · 3mo ago

    Public disclosure of CVE-2026-1357

    Technical Analysis Update

    Public disclosure identified CVE-2026-1357 as a critical remote code execution flaw in the WPvivid Backup & Migration plugin for WordPress, affecting all versions up to 0.9.123 and posing higher risk to sites with the non-default receive backup from another site option enabled.

    Show sources
    Open in new tab