A crucial vulnerability within the WPvivid Backup & Migration plugin for WordPress, put in on greater than 900,000 web sites, might be exploited to realize distant code execution by importing arbitrary information with out authentication.
The security subject is tracked as CVE-2026-1357 and obtained a severity rating of 9.8. It impacts all variations of the plugin as much as 0.9.123 and may lead to a whole web site takeover.
Regardless of the severity of the problem, researchers at WordPress security firm Defiant say that solely websites with the non-default “obtain backup from one other website” choice enabled are critically impacted.
Moreover, attackers have a 24-hour exploitation window, which is the validity of the generated key required by different websites to ship backup information.
This requirement limits practical publicity; nonetheless, the plugin is often used for website migrations and backup transfers between hosts, so web site directors are very prone to allow this characteristic in some unspecified time in the future, no less than briefly.
Researcher Lucas Montes (NiRoX) reported the vulnerability to Defiant on January 12. The basis trigger is the improper error dealing with in RSA decryption, mixed with a scarcity of path sanitization.
Particularly, when the ‘openssl_private_decrypt()’ operate fails, the plugin doesn’t halt execution and as a substitute passes the failed end result (false) to the AES (Rijndael) routine.
The cryptographic library treats this as a string of null bytes, making a predictable encryption key that an attacker can use to craft malicious payloads that the plugin would settle for.
Moreover, the plugin didn’t correctly sanitize uploaded file names, permitting listing traversal. This enables writing information exterior the supposed backup listing and importing malicious PHP information for distant code execution.
Defiant notified the seller, WPVividPlugins, on January 22, following validation of the offered proof-of-concept exploit. A security replace addressing CVE-2026-1357 was launched in model 0.9.124 on January 28.
The repair contains including a examine to cease execution if RSA decryption fails, including filename sanitization, and proscribing uploads to allowed backup file sorts solely, akin to ZIP, GZ, TAR, and SQL.
Customers of the WPvivid Backup & Migration WordPress plugin ought to pay attention to the dangers related to the vulnerability and improve to model 0.9.124 as quickly as attainable.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your crew can scale back hidden handbook delays, enhance reliability via automated response, and construct and scale clever workflows on high of instruments you already use.
