Home / Technology / Critical Flaw in WPvivid Backup: Millions at Risk?
Critical Flaw in WPvivid Backup: Millions at Risk?
14 Feb
Summary
- A critical vulnerability allows remote code execution through file uploads.
- The flaw affects WPvivid Backup and Migration plugin versions prior to 0.9.123.
- Only sites with 'receive backup from another site' enabled are vulnerable.
A critical security flaw has been identified in the widely-used WordPress plugin, WPvivid Backup & Migration. Security researchers revealed that versions of the plugin prior to 0.9.123 are susceptible to remote code execution (RCE). This vulnerability, tracked as CVE-2026-1357, carries a severe risk score of 9.8 out of 10.
The vulnerability stems from improper error handling during RSA decryption coupled with a lack of path sanitization. These issues could allow attackers to upload unauthorized files to a server, ultimately leading to RCE. The plugin, boasting over 900,000 active installations, is essential for backups, restores, and site migrations.
However, the exploitation of this bug is not straightforward. It specifically targets sites where the "receive backup from another site" feature is enabled, a setting not active by default. Furthermore, potential attackers have a limited 24-hour window to exploit the vulnerability, as the necessary decryption key expires after one day.
WPvivid released a patch in version 0.9.123 on January 28, and users are strongly advised to update immediately to secure their sites. While the exact number of vulnerable installations remains unknown, approximately 200,000 downloads occurred between the patch release and February 14, 2026.
