CVE-2026-1357 Overview
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress contains a critical unauthenticated arbitrary file upload vulnerability in versions up to and including 0.9.123. This vulnerability allows remote attackers to upload malicious PHP files to publicly accessible directories without authentication, ultimately achieving Remote Code Execution (RCE) on affected WordPress installations.
The flaw stems from improper error handling in the RSA decryption process combined with insufficient path sanitization when processing uploaded files. When the openssl_private_decrypt() function fails to decrypt a session key, the plugin fails to terminate execution and instead passes a boolean false value to the phpseclib library's AES cipher initialization. The library interprets this false value as a string of null bytes, creating a predictable encryption key that attackers can exploit.
Critical Impact
Unauthenticated attackers can achieve full Remote Code Execution on WordPress sites by uploading malicious PHP files through the vulnerable wpvivid_action=send_to_site parameter, potentially leading to complete site compromise.
Affected Products
- WPvivid Backup & Migration plugin for WordPress versions up to and including 0.9.123
- WordPress installations using affected WPvivid plugin versions
- Sites with the "Send to Site" migration feature enabled
Discovery Timeline
- 2026-02-11 - CVE-2026-1357 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-1357
Vulnerability Analysis
This vulnerability represents a chained attack combining cryptographic implementation flaws with path traversal weaknesses. The root issue lies in the class-wpvivid-crypt.php file, specifically around how the plugin handles failed RSA decryption operations in the site migration functionality.
When an attacker sends a crafted request to the wpvivid_action=send_to_site endpoint, the plugin attempts to decrypt the session key using openssl_private_decrypt(). Under normal circumstances, this function returns the decrypted data or false on failure. However, the vulnerable code fails to properly validate the return value before passing it to the AES cipher initialization in the phpseclib library.
The phpseclib library, when initialized with a false value for the key, treats it as a string representation—effectively a null-byte key. This creates a predictable encryption scenario where attackers can craft payloads encrypted with this known null-byte key that will be successfully decrypted by the vulnerable plugin.
Root Cause
The vulnerability arises from two distinct coding errors working in concert:
Improper Error Handling (CWE-434): The RSA decryption function's failure case is not properly handled. When openssl_private_decrypt() returns false, execution continues rather than terminating with an error. This allows the false value to propagate through the application.
Missing Path Sanitization: The filename extracted from the decrypted payload is used directly in file write operations without sanitization. This enables directory traversal sequences (e.g., ../) to escape the intended backup directory and write files to arbitrary locations within the web root.
The combination of these flaws transforms a cryptographic implementation error into a full Remote Code Execution vulnerability.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious PHP payload (e.g., a web shell)
- Encrypting the payload using a null-byte AES key (since the plugin will use this key when RSA decryption fails)
- Including directory traversal sequences in the filename to target a publicly accessible directory
- Sending the crafted request to the wpvivid_action=send_to_site endpoint
The exploit leverages the fact that when RSA decryption fails, the resulting null-byte key is predictable, allowing attackers to pre-encrypt their payloads. The vulnerable code in class-wpvivid-send-to-site.php at line 629 processes the uploaded file without validating the decryption success or sanitizing the destination path. Technical details can be found in the WordPress WPvivid Crypt Class and WordPress WPvivid Send to Site source files.
Detection Methods for CVE-2026-1357
Indicators of Compromise
- Unexpected PHP files appearing in web-accessible directories such as wp-content/uploads/ or the WordPress root directory
- Web server access logs showing POST requests to endpoints containing wpvivid_action=send_to_site from suspicious IP addresses
- New files with unusual naming patterns or recently modified timestamps in plugin directories
- Presence of web shells or backdoor scripts that were not part of the original WordPress installation
Detection Strategies
- Monitor web server logs for requests containing the wpvivid_action=send_to_site parameter, especially from unauthenticated sources
- Implement file integrity monitoring (FIM) to detect unauthorized file creation or modification in the WordPress directory structure
- Deploy Web Application Firewall (WAF) rules to inspect and block requests with directory traversal patterns in the payload
- Use endpoint detection solutions like SentinelOne to identify and alert on suspicious PHP file creation events
Monitoring Recommendations
- Enable detailed logging for the WordPress installation and the WPvivid plugin specifically
- Configure alerts for new PHP file creation in web-accessible directories outside of normal deployment activities
- Implement network-level monitoring to detect large or unusual POST requests to WordPress endpoints
- Regularly audit installed WordPress plugins and their versions against known vulnerability databases
How to Mitigate CVE-2026-1357
Immediate Actions Required
- Update the WPvivid Backup & Migration plugin to version 0.9.124 or later immediately
- If unable to update, deactivate and remove the WPvivid plugin until a patched version can be installed
- Audit the WordPress installation for any suspicious PHP files that may have been uploaded during the exposure window
- Review web server access logs for any evidence of exploitation attempts targeting the wpvivid_action=send_to_site endpoint
Patch Information
The WPvivid development team has released a security update addressing this vulnerability. The patch adds proper validation of the RSA decryption return value and implements path sanitization for uploaded filenames. Users should update to version 0.9.124 or later as documented in the WordPress WPvivid Changeset Update.
For additional vulnerability details and tracking, refer to the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the WPvivid plugin if updating is not immediately possible
- Implement WAF rules to block requests containing wpvivid_action=send_to_site until the plugin is updated
- Restrict access to the WordPress admin area and plugin endpoints using IP allowlisting at the web server level
- Consider using server-level file upload restrictions to prevent PHP file creation in web-accessible directories
# Apache .htaccess rule to block vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} wpvivid_action=send_to_site [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
