A critical vulnerability has been discovered in WPvivid Backup, a WordPress plugin used by over 800,000 websites, tracked as CVE-2026-1357 with a CVSS of 9.8. The flaw lies in the plugin’s remote transfer feature, specifically the send_to_site() function, which mishandles encryption keys and allows unauthenticated attackers to upload malicious files and potentially take complete control of a site.
The report explains that the system can default to a weak, null byte key and fail to validate uploaded file types, enabling the upload of PHP scripts and the deployment of a web shell. Attackers could then execute arbitrary commands, modify files, and access sensitive database information, effectively enabling remote code execution and possible site takeover, according to Wordfence.
The vulnerability was identified by Lucas Montes (NiRoX), who received a $2,145 bounty, and WPvivid has since released a fix in version 0.9.124. The issue specifically affects users with the site-to-site transfer feature enabled, which is disabled by default in the plugin settings.