CVE-2026-1357: CWE-434 Unrestricted Upload of File with Dangerous Type in wpvividplugins WPvivid — Backup, Migration & Staging
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
AI Analysis
Technical Summary
CVE-2026-1357 is a critical vulnerability in the WPvivid Backup, Migration & Staging plugin for WordPress (versions up to 0.9.123). The issue arises from improper error handling during RSA decryption where failure to decrypt a session key results in passing a false value to the AES cipher initialization, which is treated as a predictable null-byte key. This allows attackers to encrypt malicious payloads. Additionally, the plugin does not sanitize filenames from the decrypted payload, permitting directory traversal attacks to escape the backup directory. Consequently, unauthenticated attackers can upload arbitrary PHP files to publicly accessible directories and execute remote code via the wpvivid_action=send_to_site parameter.
Potential Impact
Successful exploitation allows unauthenticated attackers to upload arbitrary PHP files to the server, leading to remote code execution with the privileges of the web server. This compromises confidentiality, integrity, and availability of the affected system. The CVSS score of 9.8 reflects the critical nature of this vulnerability with network attack vector, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability.
Mitigation Recommendations
No patch or official fix information is provided in the available data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable or remove the vulnerable plugin version to prevent exploitation. Monitor the vendor's official channels for updates and apply patches promptly once released.
CVE-2026-1357: CWE-434 Unrestricted Upload of File with Dangerous Type in wpvividplugins WPvivid — Backup, Migration & Staging
Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1357 is a critical vulnerability in the WPvivid Backup, Migration & Staging plugin for WordPress (versions up to 0.9.123). The issue arises from improper error handling during RSA decryption where failure to decrypt a session key results in passing a false value to the AES cipher initialization, which is treated as a predictable null-byte key. This allows attackers to encrypt malicious payloads. Additionally, the plugin does not sanitize filenames from the decrypted payload, permitting directory traversal attacks to escape the backup directory. Consequently, unauthenticated attackers can upload arbitrary PHP files to publicly accessible directories and execute remote code via the wpvivid_action=send_to_site parameter.
Potential Impact
Successful exploitation allows unauthenticated attackers to upload arbitrary PHP files to the server, leading to remote code execution with the privileges of the web server. This compromises confidentiality, integrity, and availability of the affected system. The CVSS score of 9.8 reflects the critical nature of this vulnerability with network attack vector, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability.
Mitigation Recommendations
No patch or official fix information is provided in the available data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable or remove the vulnerable plugin version to prevent exploitation. Monitor the vendor's official channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-22T20:12:20.756Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 698c17a84b57a58fa177280b
Added to database: 2/11/2026, 5:46:16 AM
Last enriched: 4/9/2026, 11:17:33 AM
Last updated: 5/12/2026, 3:12:48 PM
Views: 445
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.