CVE-2026-1357 affects the WPvivid Backup & Migration plugin for WordPress, specifically versions up to and including 0.9.123. The vulnerability is an unauthenticated arbitrary file upload caused by a combination of improper error handling in the RSA decryption process and lack of path sanitization when handling uploaded files. When the plugin attempts to decrypt a session key using openssl_private_decrypt(), failure does not halt execution; instead, a boolean false is passed to the phpseclib AES cipher initialization. The phpseclib library interprets this false as a string of null bytes, allowing attackers to encrypt malicious payloads with a predictable null-byte key. Furthermore, the plugin accepts filenames from the decrypted payload without sanitizing them, enabling directory traversal attacks that escape the intended backup directory. This allows attackers to upload arbitrary PHP files to publicly accessible directories. Through the wpvivid_action=send_to_site parameter, attackers can trigger remote code execution (RCE) on the affected WordPress site. The vulnerability requires no authentication or user interaction, making it highly exploitable. The CVSS v3.1 score is 9.8 (critical), reflecting the ease of exploitation and severe impact on confidentiality, integrity, and availability. No patches were linked at the time of reporting, and no known exploits in the wild have been documented yet. The flaw is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type).

The impact of CVE-2026-1357 is severe for organizations using the WPvivid Backup & Migration plugin. Successful exploitation allows unauthenticated attackers to upload arbitrary PHP files, leading to remote code execution on the web server. This compromises the confidentiality of sensitive data, integrity of website content and configurations, and availability of the WordPress site. Attackers can deploy backdoors, deface websites, steal data, or pivot to internal networks. Since the vulnerability requires no authentication and no user interaction, it can be exploited at scale by automated attacks, increasing risk for all affected sites. Organizations relying on this plugin for backup and migration may face service disruption, data breaches, and reputational damage. The widespread use of WordPress globally amplifies the potential impact, especially for high-profile or business-critical websites.

1. Immediately update the WPvivid Backup & Migration plugin to a patched version once available from the vendor. 2. If no patch is available, temporarily disable or uninstall the plugin to prevent exploitation. 3. Implement web application firewall (WAF) rules to block requests containing the wpvivid_action=send_to_site parameter or suspicious file upload attempts. 4. Restrict file upload permissions and ensure that directories used by the plugin are not publicly accessible or executable. 5. Monitor web server logs for unusual file uploads or execution of PHP files in backup directories. 6. Harden PHP configurations to disable execution of scripts in upload or backup directories. 7. Conduct thorough security audits and penetration testing focusing on plugin vulnerabilities. 8. Educate site administrators about the risks of outdated plugins and enforce timely updates. 9. Employ intrusion detection systems to detect anomalous activity related to this vulnerability. 10. Consider isolating WordPress instances or using containerization to limit the blast radius of potential exploitation.