Nearly a million WordPress websites could be at risk from this serious plugin security flaw

News
By published

WPvivid Backup & Migration plugin allowed for arbitrary file upload

WordPress logo on mobile
(Image credit: Shutterstock)
  • WPvivid Backup & Migration plugin vulnerable to critical RCE flaw CVE-2026-1357
  • Exploitation requires “receive backup from another site” option enabled, with 24-hour attack window
  • Patch released in version 0.9.123 (Jan 28); users urged to upgrade immediately

WPvivid Backup & Migration, a WordPress plugin with almost a million installs, is vulnerable to a critical-severity flaw that allows threat actors to run malicious code remotely.

Although it sounds ominous, the bug has a few limitations that make exploitation somewhat difficult.

The affected WordPress plugin lets users create site backups, restore them, and migrate sites to new domains or hosts. The core features are available for free, with optional premium upgrades for more advanced functions. It currently counts more than 900,000 active installations and more than 20,000 customers.

Exploiting and patching

However security researchers Defiant found the plugin suffers from improper error handling in the RSA decryption process, combined with a lack of path sanitization. As a result, threat actors could upload arbitrary files to the server without authentication, achieving remote code execution (RCE).

The bug is tracked as CVE-2026-1357 and has a severity score of 9.8/10 (critical). It affects all versions up to 0.9.123, which was released on January 28.

While all users are advised to upgrade to a safe version as soon as possible, exploiting this vulnerability is not as easy as it sounds. Only sites that have “receive backup from another site” option enabled are vulnerable, and this feature is not turned on by default.

What’s more, the miscreants only have 24 hours to attack, given that the key the other sites need to send backup files expires after a day.

Unfortunately, there is no way to tell exactly how many, of the 900,000 active installations, are vulnerable. The official WordPress plugin website only shows installations of version 0.9, without further segmentation. It does state that since January 28, the day of the patch, up until today, the plugin was downloaded roughly 200,000 times.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.