Skip to content blog WordPress plugin with 900k installs vulnerable to critical RCE flaw: CVE-2026-1357 (CVSS 9.8) and BeyondTrust CVE-2026-1731 Estimated reading time: 7 minutes Key Takeaways: CVE-2026-1357: A critical 9.8 CVSS vulnerability in WPvivid Backup & Migration allows unauthenticated attackers to execute remote code. CVE-2026-1731: BeyondTrust solutions are facing rapid reconnaissance from sophisticated actors using JA4+ fingerprinting and VPN obfuscation. Remediation: WPvivid users must update to version 0.9.124 immediately; BeyondTrust self-hosted users must patch to RS 25.3.2 or PRA 25.1.1. Actor Intelligence: Threat groups are leveraging predictable cryptographic failures and non-standard port probing to bypass traditional defenses. Table of Contents WordPress plugin with 900k installs vulnerable to critical RCE flaw Technical Analysis of CVE-2026-1357 Exploitation Context and Threat Intelligence BeyondTrust Reconnaissance: CVE-2026-1731 Observation and Scanning Patterns Multi-Exploit Actor Profiles Supply-Chain Implications and Vulnerability Management Technical Remediation for WPvivid (CVE-2026-1357) Technical Remediation for BeyondTrust (CVE-2026-1731) PurpleOps Expertise in Threat Mitigation Actionable Takeaways for Stakeholders Frequently Asked Questions On February 12, 2026, security researchers identified a critical vulnerability in the WPvivid Backup & Migration plugin, affecting over 900,000 WordPress installations. This flaw, indexed as CVE-2026-1357 with a CVSS score of 9.8 , allows for unauthenticated remote code execution (RCE) through arbitrary file uploads. Simultaneously, threat actors have initiated rapid reconnaissance against a separate critical vulnerability, CVE-2026-1731 , affecting BeyondTrust remote access solutions. These concurrent threats indicate a heightened period of risk for enterprise infrastructure and web-facing assets. WordPress plugin with 900k installs vulnerable to critical RCE flaw The vulnerability in WPvivid Backup & Migration (CVE-2026-1357) stems from a combination of cryptographic implementation errors and insufficient input sanitization. While the plugin is a primary tool for site migrations and backups, the flaw resides in the “receive backup from another site” feature. Although this feature is not enabled by default, it is frequently activated during migration workflows or when establishing automated offsite backup routines. Technical Analysis of CVE-2026-1357 The root cause of CVE-2026-1357 involves improper error handling during RSA decryption. Specifically, the plugin utilizes the openssl_private_decrypt() function to process incoming data. In a secure implementation, a failure in this function should trigger an immediate termination of the process. However, in WPvivid versions up to 0.9.123, a failure returns a boolean false value, which the plugin continues to process. This false result is subsequently passed to a Rijndael (AES) encryption routine. The cryptographic library interprets the boolean false as a string of null bytes . This behavior creates a predictable, static encryption key. An attacker aware of this logic can craft a malicious payload encrypted with this predictable key, which the plugin will then successfully decrypt and process. Furthermore, the plugin fails to sanitize filenames for uploaded objects. By combining the cryptographic bypass with directory traversal techniques , an attacker can write files outside the designated backup directory. This allows for the placement of malicious PHP scripts into the web root or other executable directories, leading to full remote code execution and total site takeover . A mitigating factor is the 24-hour validity window for the generated keys required to send backup files. However, this window is sufficient for targeted attacks, especially since the plugin is often used by administrators during high-activity periods like host migrations. Exploitation Context and Threat Intelligence The discovery of CVE-2026-1357 coincides with a broader trend of attackers targeting WordPress plugin ecosystems to establish initial access. Utilizing a cyber threat intelligence platform allows organizations to track how these vulnerabilities are discussed in the wild. Our dark web monitoring service and telegram threat monitoring have shown that unauthenticated RCE exploits for high-install plugins are frequently traded or shared among initial access brokers. When a vulnerability like CVE-2026-1357 reaches a CVSS 9.8, it becomes a priority for automated scanning. Attackers use live ransomware API feeds and real-time ransomware intelligence to identify vulnerable targets before patches are applied. For organizations managing multiple WordPress instances, breach detection protocols must now include audits of the WPvivid configuration settings. BeyondTrust Reconnaissance: CVE-2026-1731 While WordPress sites face the WPvivid flaw, enterprise environments are simultaneously targeted by reconnaissance for CVE-