Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WPvivid Backup & Migration plugin unauthenticated file upload RCE (CVE-2026-1357)

Vulnerability
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

A critical RCE vulnerability in the WPvivid Backup & Migration WordPress plugin puts more than 900,000 websites at risk of complete takeover. The flaw, tracked as CVE-2026-1357, allows arbitrary file uploads without authentication and affects all versions up to 0.9.123. Risk is highest on sites that enable the non-default “receive backup from another site” option, and a fix is available in 0.9.124.

Related Happenings

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Open Happening

CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551

Public Sector Action
First: 04.02.2026 07:50 Last: 04.02.2026 07:50 Sources 1

About this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...

Open Happening

Timeline

  1. 12.02.2026 19:09 1 articles · 3mo ago

    Researcher reports CVE-2026-1357 to Defiant

    Initial Disclosure

    Lucas Montes (NiRoX) reported the CVE-2026-1357 flaw in the WPvivid Backup & Migration plugin to Defiant on January 12, after identifying improper RSA decryption error handling and missing path sanitization that can lead to arbitrary file upload and remote code execution.

    Show sources
    Open in new tab
  2. 12.02.2026 19:09 1 articles · 3mo ago

    Defiant notifies WPVividPlugins after proof-of-concept validation

    Untyped Phase

    After validating the provided proof-of-concept exploit, Defiant notified WPVividPlugins on January 22 so the vendor could begin remediation for the affected WordPress plugin.

    Show sources
    Open in new tab
  3. 12.02.2026 19:09 1 articles · 3mo ago

    WPVividPlugins releases version 0.9.124

    Mitigation Patch Update

    WPVividPlugins released version 0.9.124 on January 28 to address CVE-2026-1357 by stopping execution when RSA decryption fails, sanitizing uploaded file names, and restricting uploads to allowed backup file types such as ZIP, GZ, TAR, and SQL.

    Show sources
    Open in new tab
  4. 12.02.2026 19:09 2 articles · 3mo ago

    Critical WPvivid Backup & Migration RCE analysis is published

    Technical Analysis Update

    Defiant described CVE-2026-1357 as a 9.8-severity flaw affecting all versions of the WPvivid Backup & Migration plugin up to 0.9.123, with more than 900,000 installed websites at risk of remote code execution and complete website takeover. Only sites with the non-default "receive backup from another site" option enabled are critically exposed, and attackers have a 24-hour exploitation window for the generated key.

    Show sources
    Open in new tab