Nyambush
CVSS 9.8Critical

CVE-2026-1357: WPvivid Backup Unauthenticated RCE

Overview

  • CVE: CVE-2026-1357
  • Affected Versions: WPvivid Backup & Migration <= 0.9.123
  • CVSS: 9.8 (Critical)
  • Authentication: None required (unauthenticated)
  • Type: Arbitrary File Upload + Remote Code Execution (RCE)

In January 2026, a critical unauthenticated remote code execution vulnerability was discovered in WPvivid Backup & Migration, a plugin installed on over 900,000 WordPress sites.

The vulnerability affects sites that have enabled the "receive backup from another site" option. This feature is disabled by default, but it is commonly left enabled after site migrations or staging environment setups. Wordfence issued a firewall rule for paid subscribers on January 22, 2026, with the free tier receiving protection on February 21, 2026.

What Happened

The root cause is a combination of two implementation flaws.

Flaw 1 - Execution continues on openssl_private_decrypt() failure: The backup receive endpoint uses RSA encryption to verify the legitimacy of the sending site. However, when openssl_private_decrypt() returns a failure (indicating a verification error), the code did not halt execution. Without a proper error check after the decryption call, an attacker could skip authentication entirely by sending an invalid or empty signature.

Flaw 2 - No path sanitization on the filename: The backup file receive handler accepted filenames without stripping directory traversal sequences (../). This allowed an attacker to escape the intended upload directory and write files to arbitrary locations under the WordPress document root, including theme and plugin directories.

Together, these two flaws allowed an unauthenticated remote attacker to place a PHP file at an arbitrary path and execute it as a web shell.

How the Attack Works

Attack flow:

  1. Target identification: Identify WordPress sites with the "receive backup from another site" option enabled. This can be detected by probing known WPvivid admin paths or API endpoints.

  2. Send a request to the backup receive endpoint: Call the backup receive endpoint via the REST API or admin-ajax.php.

  3. Bypass RSA verification: Submit an invalid or empty signature. openssl_private_decrypt() returns false, but because there is no error check, code execution continues past the authentication gate.

POST /wp-admin/admin-ajax.php
action=wpvivid_upload_backup_to_remote
...
  1. Write a PHP file via directory traversal: Include ../ sequences in the filename parameter to write outside the backup storage directory.
filename: ../../themes/twentytwentyfour/shell.php
content: <?php @eval($_POST['cmd']); ?>
  1. Execute the web shell: Send an HTTP request to the uploaded PHP file to run arbitrary commands on the server.
POST /wp-content/themes/twentytwentyfour/shell.php
cmd=system('id');
  1. Exploit window: The receiving key is valid for 24 hours. The attack must be completed within this window.

Real-World Impact

  • Approximately 900,000 sites are potentially affected
  • No authentication required, enabling automated large-scale scanning attacks
  • Arbitrary code execution on the server (OS commands, file read/write, database dump)
  • Theft of database credentials and API keys stored in backup files
  • Installation of ransomware or enrollment in botnets
  • Sites were exposed without protection during the period before Wordfence issued its paid rule on January 22

Fix and Lessons

Fix: Patched in version 0.9.124 (released January 28, 2026). The fix adds a proper return value check after openssl_private_decrypt(), halting execution on verification failure. Filename sanitization was also added to strip ../ sequences before any file write operation.

Lessons:

  1. Always check error return values: Cryptographic verification failures must abort the subsequent operation. A single if (!$result) { return false; } line would have prevented this critical vulnerability.
  2. Sanitize filenames used in file paths: Use basename() or explicitly strip ../ sequences from any user-supplied filename before using it in a file path.
  3. Audit non-default features after use: Options enabled temporarily for migration are routinely forgotten. Regular configuration reviews catch these residual risks.
  4. Backup plugins carry elevated risk: Backup plugins have broad access to the filesystem and database by design. Vulnerabilities in this class of plugin have outsized impact.
  5. Know your firewall rule timeline: Wordfence paid plans receive rules immediately after a vulnerability is disclosed. The 30-day gap before free-tier delivery is a meaningful exposure window for high-severity issues.

Detection with Nyambush

Nyambush automatically detects installed WordPress plugin versions and cross-references them against its vulnerability database. If WPvivid Backup & Migration is running at version 0.9.123 or below, Nyambush raises a Critical alert with CVSS 9.8 immediately.

Nyambush also checks whether the backup receive endpoint is externally reachable, flagging sites where the non-default option has been left enabled. In continuous monitoring mode, the alert persists until the plugin is confirmed to have been updated to the patched version.

Share this article:Post on X

Is your domain secure?

Run a free scan with Nyambush to check your security risks right now.

Back to articles