WPvivid Backup & Migration Plugin Unauthenticated Remote Code Execution (CVE-2026-1357)
Overview
WPvivid Backup & Migration Plugin Unauthenticated Remote Code Execution, tracked as CVE-2026-1357, affects the WPvivid Backup & Migration plugin for WordPress up to and including version 0.9.123. Because backup and migration plugins handle files and site transfer workflows, unauthenticated file upload flaws in this area can lead directly to site takeover.
Vulnerability Overview
CVE-2026-1357 is an unauthenticated arbitrary file upload vulnerability. According to Wordfence, the issue is caused by improper error handling in the RSA decryption process combined with missing path sanitization when uploaded files are written.
When the vulnerable path is reached, an attacker may be able to escape the protected backup directory and place dangerous files in publicly accessible locations. In a WordPress/PHP environment, that can lead to remote code execution.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow unauthenticated attackers to upload arbitrary PHP files and execute code with the privileges of the web server process.
For WordPress sites, this can compromise application files, database credentials, plugin data, and the wider hosting account.
Vulnerability Scope
The affected product is the Migration, Backup, Staging - WPvivid Backup & Migration plugin up to and including version 0.9.123. The vulnerable behavior is tied to backup migration handling and file write paths.
The highest-risk deployments are public WordPress sites running affected WPvivid versions with the vulnerable migration functionality reachable by unauthenticated users.
Lab Focus
This Hackviser lab focuses on understanding how file upload validation failures in WordPress backup plugins can become remote code execution. You will practice identifying affected WPvivid versions, recognizing arbitrary file upload impact, and mapping plugin file handling risk to WordPress hardening.