PT-2026-7477 · Phpseclib +1 · Phpseclib +1 Lucas Montes · Published 2026-02-10 · Updated 2026-02-15 · CVE-2026-1357 CVSS v 3.1 9.8 9.8 Critical Base vector Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Name of the Vulnerable Software and Affected Versions WPvivid Backup & Migration versions up to and including 0.9.123 Description The WPvivid Backup & Migration plugin for WordPress is susceptible to an unauthenticated arbitrary file upload, potentially leading to remote code execution. This issue stems from flawed error handling during RSA decryption and insufficient path sanitization when handling uploaded files. Specifically, when the plugin encounters an error during RSA decryption using openssl private decrypt() , it fails to halt execution and incorrectly passes a boolean false value to the phpseclib library's AES cipher initialization. This allows attackers to encrypt malicious payloads using a predictable null-byte key. Furthermore, the plugin does not properly sanitize filenames, enabling directory traversal and the ability to upload arbitrary PHP files to publicly accessible directories. Exploitation occurs via the wpvivid action=send to site parameter. Approximately 900,000 WordPress sites are potentially affected. The vulnerability is most easily exploited when the "receive backup from another site" feature is enabled, with a 24-hour key window for exploitation. Recommendations Update the WPvivid Backup & Migration plugin to version 0.9.124 or later. If the "receive backup from another site" feature is enabled, consider disabling it unless absolutely necessary. Exploit Fix RCE Unrestricted File Upload Found an issue in the description? Have something to add? Feel free to write us 👾 dbugs@ptsecurity.com Weakness Enumeration CWE-434 Related Identifiers Affected Products Wpvivid Backup/Migration Phpseclib References · 30 🔥 https://github.com/halilkirazkaya/CVE-2026-1357 ⭐ 2 🔗 1 · Exploit https://nvd.nist.gov/vuln/detail/CVE-2026-1357 · Security Note https://twitter.com/vuln_tracker/status/2021532935724396941 · Twitter Post https://wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37?source=cve · Note https://t.me/true_secator/7907 · Telegram Post https://plugins.trac.wordpress.org/changeset/3448386/wpvivid-backuprestore#file1 · Note https://reddit.com/r/u_hackrepair/comments/1r21ros/discussion_critical_vulnerability_in_wpvivid · Reddit Post https://twitter.com/ThreatSynop/status/2022007136809615573 · Twitter Post https://i.redd.it/7h3pnfwmhqig1.png · Reddit Post https://twitter.com/ThreatSynop/status/2021980782231712134 · Twitter Post https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.123/includes/class-wpvivid-crypt.php#L58 · Note https://twitter.com/NewsNerdie/status/2022212121480561111 · Twitter Post https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.122/includes/customclass/class-wpvivid-send-to-site.php#L629 · Note https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid-crypt.php#L58 · Note https://twitter.com/NiRoXoRiN/status/2021620389563277538 · Twitter Post