Security

Critical Arbitrary File Upload Vulnerability in WPvivid Plugin Threatens 800,000 Sites

Over 800,000 WordPress sites risk takeover due to a critical file upload vulnerability in the WPvivid Backup plugin. Immediate updates are essential.

Editor · · 4 min read
Critical Arbitrary File Upload Vulnerability in WPvivid Plugin Threatens 800,000 Sites

Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.

Critical Arbitrary File Upload Vulnerability in WPvivid Plugin Threatens 800,000 Sites

A newly discovered vulnerability in the WPvivid Backup WordPress plugin has left over 800,000 sites at risk. The flaw allows unauthenticated attackers to upload arbitrary files, potentially resulting in remote code execution and total site takeover. The vulnerability, identified as CVE-2026-1357, was responsibly reported by researcher Lucas Montes and has been patched as of January 28, 2026.

WPvivid Backup is a popular plugin used for migration, backup, and staging of WordPress sites. The vulnerability was introduced on January 7, 2026, and reported to Wordfence five days later. This swift identification allowed for rapid action by both Wordfence and the WPvivid development team, demonstrating the effectiveness of coordinated vulnerability disclosure.

The flaw stems from improper error handling in the RSA decryption process and unsanitized file paths. Specifically, when the plugin’s RSA decryption fails, it passes a boolean false to the phpseclib library’s AES cipher, which is incorrectly treated as a string of null bytes. This permits attackers to encrypt payloads using a predictable key. Additionally, the plugin fails to sanitize filenames, allowing directory traversal, which can expose sites to remote code execution through the ‘wpvivid_action=send_to_site’ parameter.

technical code vulnerability
Developers must examine code handling to prevent vulnerabilities.
Technical code vulnerability
Developers must examine code handling to prevent vulnerabilities.

This incident highlights ongoing security challenges within the WordPress ecosystem, especially for plugins with extensive user bases. The rapid patching by WPvivid and protective measures from Wordfence underscore the importance of vigilance and timely updates. However, the delay in protection for free Wordfence users until February 21, 2026, raises concerns about equitable access to security measures.

Site owners and developers using WPvivid must urgently update to version 0.9.124 to mitigate this critical risk. The incident also reinforces the necessity for proactive security practices and the implementation of defense-in-depth strategies across WordPress environments.

Action Steps

  • Developers: Review and sanitize input handling in plugins. Implement robust error handling to prevent similar vulnerabilities.
  • Site Owners: Update WPvivid to version 0.9.124 immediately. Consider additional security plugins to monitor and block unauthorized file uploads.
  • Agencies: Audit client sites using WPvivid to ensure the patch has been applied. Educate clients on the importance of regular updates and security monitoring.
  • Hosting Teams: Encourage customers to update plugins promptly. Offer guidance on implementing additional security measures if necessary.
Related News
WordPress website pricing
Hosting
Strategic Pricing for WordPress Website Builds
agency news weekly
Community
Agency News Weekly: WordPress 6.9 Preview, SpamGPT Threat, WooCommerce Updates
Industry
Enterprise Accessibility Audits: What Really Happens