Nearly a million WordPress websites could be at risk from this serious plugin security flaw

WPvivid Backup & Migration plugin vulnerable to critical RCE flaw CVE-2026-1357
Exploitation requires “receive backup from another site” option enabled, with 24-hour attack window
Patch released in version 0.9.123 (Jan 28); users urged to upgrade immediately

WPvivid Backup & Migration, a WordPress plugin with almost a million installs, is vulnerable to a critical-severity flaw that allows threat actors to run malicious code remotely.

Although it sounds ominous, the bug has a few limitations that make exploitation somewhat difficult.

Exploiting and patching

However security researchers Defiant found the plugin suffers from improper error handling in the RSA decryption process, combined with a lack of path sanitization. As a result, threat actors could upload arbitrary files to the server without authentication, achieving remote code execution (RCE).

The bug is tracked as CVE-2026-1357 and has a severity score of 9.8/10 (critical). It affects all versions up to 0.9.123, which was released on January 28.

While all users are advised to upgrade to a safe version as soon as possible, exploiting this vulnerability is not as easy as it sounds. Only sites that have “receive backup from another site” option enabled are vulnerable, and this feature is not turned on by default.

What’s more, the miscreants only have 24 hours to attack, given that the key the other sites need to send backup files expires after a day.

Unfortunately, there is no way to tell exactly how many, of the 900,000 active installations, are vulnerable. The official WordPress plugin website only shows installations of version 0.9, without further segmentation. It does state that since January 28, the day of the patch, up until today, the plugin was downloaded roughly 200,000 times.

BleepingComputer

The best antivirus for all budgets

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

https://cdn.mos.cms.futurecdn.net/7NLZKWEKmFLJVAH4nubeaX-970-80.jpg

Source link

Quordle hints and answers for Saturday, April 4 (game #1531)

NYT Connections hints and answers for Saturday, April 4 (game #1028)

NYT Strands hints and answers for Saturday, April 4 (game #762)

Dell packs full desktop performance into a palm-sized device that’s powered entirely through a single USB-C connection

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Add a Cordless Electric Air Duster to Your PC or Car Maintenance Kit for Just $24 (or Less)

When Was Tom Holland & Zendaya’s Wedding? What We Know – Hollywood Life

New Mel Brooks, Josh Gad Movie Sets Release (EXCLUSIVE)

Starz CEO Jeffrey Hirsch Sees Pay Total $6.7 Million

Rambus CEO Seraphin Luc sells shares worth $470k

Form 13D/A SOUTHWEST AIRLINES CO For: 3 April

Henderson Jane, Apogee Therapeutics CFO, sells $170k in stock

Apogee Therapeutics (APGE) CMO sells shares worth $466,619

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays