Critical RCE in WPvivid Backup Plugin Threatens 900,000+

Executive Summary

A critical unauthenticated arbitrary file upload vulnerability (CVE-2026-1357) has been disclosed in the WPvivid Backup & Migration plugin for WordPress, one of the most popular backup solutions with over 900,000 active installations. The vulnerability carries a CVSS score of 9.8 and allows remote attackers to upload and execute arbitrary PHP files without authentication.

CVSS Score: 9.8 (Critical)

The flaw exists in the plugin's "receive a backup from another site" functionality. When this feature is enabled, an attacker can exploit the lack of proper authentication and file validation to upload a malicious PHP webshell, achieving full remote code execution. A patch is available in version 0.9.124.

Vulnerability Overview

Affected Versions

Attack Vector

1. Attacker identifies WordPress site running WPvivid with backup receive enabled
2. Attacker sends crafted HTTP request to the backup receiving API endpoint
3. Plugin accepts upload without verifying sender identity or file contents
4. Malicious PHP file (webshell) written to web-accessible directory
5. Attacker accesses uploaded webshell via HTTP
6. Full server compromise — database access, file manipulation, lateral movement

Impact of Successful Exploitation

Immediate Remediation

Step 1: Update to Version 0.9.124

# Via WP-CLI
wp plugin update wpvivid-backuprestore
 
# Verify the installed version
wp plugin get wpvivid-backuprestore --field=version

Or update through WordPress admin: Plugins > Installed Plugins > WPvivid > Update Now.

Step 2: Disable Backup Receive Feature

Even after patching, disable the feature if not actively in use:

1. Navigate to WPvivid Backup > Settings
2. Locate the "Receive backup from another site" option
3. Disable the feature and save

Step 3: Scan for Existing Compromise

# Search for recently uploaded PHP files in unexpected locations
find /path/to/wordpress/wp-content/ -name "*.php" -newer /path/to/wordpress/wp-includes/version.php -type f
 
# Check for common webshell signatures
grep -rl "eval\s*(base64_decode" /path/to/wordpress/wp-content/
grep -rl "system\s*(" /path/to/wordpress/wp-content/uploads/
 
# Verify WordPress core integrity
wp core verify-checksums

If Immediate Patching Is Not Possible

1. Disable the backup receive feature immediately
2. Deactivate the WPvivid plugin entirely if the feature cannot be disabled
3. Block access to WPvivid API endpoints at the web server or WAF level
4. Monitor access logs for suspicious POST requests to WPvivid endpoints

Detection Indicators

Post-Remediation Steps

1. Confirm plugin updated to 0.9.124 or later
2. Disable backup receive feature if not required
3. Scan installation for webshells and unauthorized modifications
4. Review user accounts for unauthorized administrators
5. Rotate all credentials — WordPress admin, database, API keys
6. Regenerate WordPress security keys using wp config shuffle-salts
7. Deploy a WAF (Wordfence, Sucuri) for ongoing protection
8. Implement file integrity monitoring

References

• BleepingComputer — WordPress Plugin with 900K Installs Vulnerable to Critical RCE
• GBHackers — WordPress Backup Plugin Vulnerability
• NIST NVD — CVE-2026-1357

Related Reading

• WordPress Plugin Vulnerability (CVSS 10.0) Under Active
• Critical Auth Bypass in Tutor LMS Pro Exposes 30,000+
• CVE-2026-3589: WooCommerce CSRF Flaw Allows Unauthenticated