Login Sign Up

CVE-2026-1357

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload arbitrary PHP files to WordPress sites using the WPvivid Backup & Migration plugin, leading to remote code execution. It affects all WordPress sites running vulnerable plugin versions up to 0.9.123. Attackers can take complete control of affected websites.

💻 Affected Systems

Products:
  • WPvivid Backup & Migration WordPress plugin
Versions: All versions up to and including 0.9.123
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website compromise with attacker gaining full administrative access, data theft, malware distribution, and website defacement.

🟠

Likely Case

Attackers upload web shells to gain persistent access, install backdoors, steal sensitive data, and use the site for further attacks.

🟢

If Mitigated

With proper web application firewalls and file upload restrictions, exploitation attempts would be blocked, limiting impact to failed attack attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and has publicly available technical details, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.124 or later

Vendor Advisory: https://wordpress.org/plugins/wpvivid-backuprestore/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPvivid Backup & Migration. 4. Click 'Update Now' if available. 5. If no update shows, manually download version 0.9.124+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the WPvivid Backup & Migration plugin until patched

wp plugin deactivate wpvivid-backuprestore

Restrict file uploads

linux

Add web server rules to block uploads to wp-content/uploads/wpvivid_backup directory

# Add to .htaccess for Apache:
<LocationMatch "^/wp-content/uploads/wpvivid_backup/.*\.php$">
    Deny from all
</LocationMatch>
# Add to nginx config:
location ~ ^/wp-content/uploads/wpvivid_backup/.*\.php$ {
    deny all;
}

🧯 If You Can't Patch

  • Immediately disable the WPvivid Backup & Migration plugin
  • Implement a web application firewall (WAF) with rules to block requests containing 'wpvivid_action=send_to_site'

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If WPvivid Backup & Migration version is 0.9.123 or lower, you are vulnerable.

Check Version:

wp plugin get wpvivid-backuprestore --field=version

Verify Fix Applied:

Verify plugin version is 0.9.124 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests containing 'wpvivid_action=send_to_site'
  • File uploads to wp-content/uploads/wpvivid_backup directory
  • PHP file creation in unexpected locations

Network Indicators:

  • POST requests to /wp-admin/admin-ajax.php with wpvivid_action parameter
  • Unusual file upload patterns to WordPress directories

SIEM Query:

source="web_logs" AND (uri_path="*admin-ajax.php*" AND post_data="*wpvivid_action=send_to_site*")

📊 Metadata

CVE ID: CVE-2026-1357
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
EPSS Score: 0.4% exploit probability (60.1th percentile)
Published: February 11, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1357, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)