CVE-2026-1357 affects the WPvivid Backup & Migration plugin for WordPress, specifically versions up to and including 0.9.123. The vulnerability stems from a flawed error handling mechanism during the RSA decryption process of session keys. When openssl_private_decrypt() fails, it returns false, but the plugin does not halt execution. Instead, it passes this false value to the phpseclib AES cipher initialization, which interprets it as a string of null bytes. This predictable null-byte key allows an attacker to craft an encrypted payload that the plugin will accept. Furthermore, the plugin fails to sanitize filenames extracted from the decrypted payload, enabling directory traversal attacks that allow files to be written outside the intended backup directory. By exploiting the wpvivid_action=send_to_site parameter, an unauthenticated attacker can upload arbitrary PHP files to publicly accessible directories, leading to remote code execution (RCE). This vulnerability requires no authentication or user interaction, making it highly exploitable. The CVSS v3.1 score of 9.8 reflects its critical severity, with full impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's nature and ease of exploitation pose a severe threat to WordPress sites using this plugin.

For European organizations, this vulnerability presents a critical risk. Many businesses, government agencies, and NGOs in Europe rely on WordPress for their web presence, often using plugins like WPvivid Backup & Migration for site backups and migrations. Successful exploitation can lead to complete site compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. The ability to upload arbitrary PHP files and execute code remotely without authentication means attackers can bypass most traditional security controls. This can result in significant operational disruption, reputational damage, regulatory penalties under GDPR for data breaches, and financial losses. Public-facing web servers are particularly vulnerable, and organizations with limited patch management or security monitoring capabilities face increased risk. The vulnerability also threatens managed service providers hosting multiple client sites, potentially amplifying impact.

Immediate mitigation steps include updating the WPvivid Backup & Migration plugin to a patched version once released by the vendor. Until a patch is available, organizations should consider disabling the plugin or the vulnerable functionality (especially the wpvivid_action=send_to_site parameter). Implement strict input validation and sanitization on all file uploads and parameters related to backup and migration processes. Web server configurations should restrict execution permissions in upload directories and enforce least privilege principles. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious file upload patterns and directory traversal attempts. Regularly audit WordPress installations and plugins for unauthorized files or modifications. Monitor logs for unusual activity related to the plugin's endpoints. Finally, conduct security awareness training for administrators managing WordPress environments to recognize and respond to such threats promptly.