Critical WPvivid Backup Plugin Flaw Exposes 800,000+ WordPress Sites to Remote Code Execution

A serious security vulnerability has been discovered in the WPvivid Backup & Migration plugin, placing more than 800,000 WordPress websites at potential risk of remote code execution.

The issue was identified through the Wordfence Bug Bounty Program and affects plugin versions up to 0.9.123. It has been assigned a critical CVSS score of 9.8 under CVE-2026-1357.

Critical WPvivid Backup Plugin Flaw Exposes 800,000+ WordPress Sites to Remote Code Execution

What’s the Risk?

The vulnerability allows unauthenticated attackers to upload malicious files to affected websites. In certain configurations, this can result in complete site compromise. Once a malicious file such as a web shell is uploaded and executed, attackers can gain full control over the WordPress environment.

The exploit is triggered using the wpvivid_action=send_to_site parameter, which is connected to the plugin’s backup transfer functionality.

Root Cause of the Vulnerability

The issue stems from improper encryption handling and a lack of validation checks during file uploads. When the plugin attempts to decrypt a session key using openssl_private_decrypt(), a failure returns a false value. Instead of stopping execution, the system continues processing.

That failed decryption is interpreted as null bytes by the AES encryption component (via phpseclib), creating a predictable encryption state. Attackers can use this predictability to craft malicious payloads that bypass security controls.

Additionally, uploaded files are written to the server without sufficient checks for file type, extension, or directory path. This opens the door for directory traversal attacks, allowing malicious PHP files to be placed in publicly accessible locations and executed.

When Are Sites Affected?

The vulnerability impacts sites that have enabled the plugin’s “receive key” feature for remote backup transfers. This feature is disabled by default and has a maximum expiration window of 24 hours.

However, given the plugin’s large active installation base, even a small number of misconfigured sites could represent significant exposure.

Technical Breakdown

The core issue lies within the send_to_site() function. The plugin decrypts incoming POST data using a site-specific private key. If decryption fails, the false result becomes the AES key, effectively defaulting to null bytes.

Attackers can exploit this predictable encryption behavior by sending carefully crafted, base64-encoded payloads via the wpvivid_content parameter.

The decrypt_message() method does not properly verify whether decryption succeeded before proceeding. At the same time, uploaded files are not validated for safe extensions or restricted paths, allowing malicious scripts to be stored outside the intended backup directory.

Recommended Actions

  • Immediately update the WPvivid Backup & Migration plugin to the latest patched version.
  • Verify whether the “receive key” feature is enabled and disable it if not required.
  • Review recent uploads and server logs for suspicious activity.
  • Implement server-level restrictions to prevent PHP execution in upload directories.

Given the critical severity rating and the plugin’s widespread usage, prompt action is strongly advised for all affected site owners.

Author Bio – Sandeep Dharak

Sandeep Dharak is an SEO professional and technical content strategist specialising in WordPress optimisation, website architecture, and organic search performance. He works with brands to improve visibility through structured content planning, technical SEO audits, and data-driven growth strategies. He is associated with WPGrowthLab and AuthorityTrends, where he focuses on search strategy, technical analysis, and sustainable organic acquisition. His work regularly involves reviewing WordPress updates, plugin vulnerabilities, and evolving search engine guidelines to help businesses maintain secure and high-performing websites. Sandeep’s approach combines practical implementation with research-backed insights, ensuring that recommendations are both technically sound and aligned with long-term search performance goals.
AI Content Disclaimer This article was created with the assistance of AI tools to support research structuring and content drafting. All technical details, security references, and factual information have been reviewed and verified for accuracy before publication. The content is intended for informational purposes only and should not be considered legal, security, or professional advice. Website owners are encouraged to consult qualified security professionals or developers before implementing technical changes.

Comments

Post a Comment

Popular posts from this blog

How to Use AI to Generate Blog Content in WordPress (Step‑by‑Step Guide)

Image
Artificial intelligence is changing how WordPress creators write, optimize, and publish blog content. Instead of spending hours on research and drafting, bloggers can now use AI tools to generate high-quality articles, optimize them for SEO, and publish consistently—without sacrificing originality or accuracy. In this guide, you’ll learn how to use AI to generate blog content in WordPress, the best tools to use, and proven workflows that help your posts perform better in Google Search and Google Discover. What Does It Mean to Use AI for Blog Content? Using AI for blog content means leveraging machine learning tools to: Generate blog ideas and outlines Write drafts or full articles Optimize content for SEO and readability Rewrite, expand, or summarize posts Create meta titles, descriptions, and FAQs AI does not replace human creativity —it accelerates research, drafting, and optimization. Benefits of Using AI in WordPress 1. Faster Content Creation AI can generate a first draft in minut...
Read more

How to Improve Your WordPress SEO Using AI

Image
Introduction Search Engine Optimization (SEO) has changed. For years, we focused on keywords, backlinks, and "tricking" the algorithm. Today, that approach is dying. We are entering the era of AI-Powered SEO . This isn't just about using ChatGPT to write blog posts. It is about understanding how search engines like Google now use Artificial Intelligence to read, understand, and rank your WordPress site. Google is no longer just a library index; it is becoming an "Answer Engine." With the rise of AI Overviews (formerly SGE) and tools like ChatGPT and Perplexity, users often get their answers directly without clicking a link. For WordPress site owners, this is both a risk and an opportunity. If your site is optimized for these new AI systems, you can gain massive visibility. If you are stuck in 2020, you might become invisible. This guide explains exactly how to adapt your WordPress site for this new reality using practical tools and strategies. How ...
Read more

WordPress Adds Built-In AI Assistant for Layout and Content Editing

Image
Published By Authority Trends on Feb 24, 2026 WordPress has introduced a new AI assistant designed to help users update page layouts and content directly within the platform. The feature aims to make editing faster and more intuitive, especially for users without coding or design experience. As per The Daily Star , The AI assistant works inside the WordPress editor and can suggest layout changes, rewrite text, generate new sections, and adjust design elements based on simple prompts. Instead of manually dragging blocks and writing content line by line, users can now describe what they want and let the assistant apply it. For example, asking it to “make this hero section bolder” or “rewrite this paragraph for clarity” triggers automatic updates in the editor. According to WordPress , the feature is rolling out progressively and will be available to users globally over the coming months. It builds on previous AI integrations in WordPress and reflects a broader push toward AI-enhanced we...
Read more