Close to a million WordPress sites may be vulnerable due to a significant security issue with a plugin

Last updated on by on Categories
Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.
Let's Try Now!

WPvivid Backup & Migration Plugin Exposed to Severe RCE Vulnerability CVE-2026-1357

  • Critical remote code execution flaw identified in WPvivid Backup & Migration
  • Exploitation necessitates the activation of the “receive backup from another site” feature, limited to a 24-hour attack window
  • Patch released with version 0.9.123 on January 28; immediate user upgrades advised

WPvivid Backup & Migration, a widely-utilized WordPress plugin boasting nearly one million installations, has been found to harbor a critical vulnerability enabling malicious actors to execute code remotely.

While the consequences may appear dire, certain constraints diminish the practicality of exploitation.

This plugin facilitates website backups, restores, and migrations across different domains or hosting environments. Its fundamental functionalities are available at no cost, with optional premium enhancements for advanced tasks. Currently, it is installed on over 900,000 sites, serving upwards of 20,000 customers.

Exploitation and Remediation

Security analysts from Defiant have identified deficiencies in error handling within the RSA decryption methodology, coupled with inadequate file path sanitization.

These flaws empower malicious entities to upload arbitrary files to the server without authentication, thereby culminating in remote code execution (RCE).

The vulnerability, designated as CVE-2026-1357, carries a severity rating of 9.8/10 (critical). It impacts all editions prior to 0.9.123, released on January 28.

Despite the critical nature of this flaw, exploiting it is not as straightforward as one might presume. Only instances where the “receive backup from another site” feature is enabled are at risk, a setting that is not activated by default.

Moreover, malicious actors are restricted to a mere 24-hour timeframe to stage their attacks, as the necessary keys for sending backup files from other sites become obsolete after one day.

Regrettably, the precise number of vulnerable installations among the 900,000 active users remains unknown.

Blue circle icon with two interlocking plugs, one featuring the WordPress logo, symbolizing WordPress plugins or connectivity.

The official WordPress plugin repository only discloses the total for version 0.9, lacking any further differentiation. Nonetheless, since the release of the patch on January 28, the plugin has been downloaded approximately 200,000 times.

Source link: Techradar.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

RS Web Solutions

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.
Share the Love
Related News Worth Reading
 
Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.
Let's Try Now!

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.

Trustpilot
Content Safety

HERO

rswebsols.com
Trustworthy

Approved by Sur.ly

Important Links
Free Tools
Categories
Popular Topics
Our Partners
Copyright © 2026 - RS Web Solutions (RSWEBSOLS) | All Rights Reserved. Image credit: Unsplash | Pixabay | Pexels | Freepik.