Critical RCE Vulnerability in WPvivid Plugin Affects 900,000 WordPress Sites
Severity: High (Score: 65.6)
Sources: Linkedin, Facebook, Securityboulevard, Techradar, Bleepingcomputer
Published: · Updated:
Keywords: wordpress, plugin, critical, backup, code, flaw, vulnerability
Severity indicators: critical, vulnerability, flaw, rce
Summary
A critical vulnerability in the WPvivid Backup & Migration plugin, affecting over 900,000 WordPress sites, allows unauthenticated attackers to upload files and execute code remotely. This flaw, tracked as CVE-2026-1357, has a severity score of 9.8 and impacts all versions up to 0.9.123. A fix is reportedly available.
Source articles (9)
- WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks — Cybersecuritynews · 2026-02-12
A critical flaw in the WPvivid Backup & Migration WordPress plugin can let an unauthenticated attacker upload files and run code on the server, a path that often ends in full site takeover. The issue… - WordPress plugin with 900k installs vulnerable to critical RCE flaw — Bleepingcomputer · 2026-02-12
A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress, installed on more than 900,000 websites, can be exploited to achieve remote code execution by uploading arbitrary files… - Critical WordPress Plugin Flaw Exposes 900,000+ Sites to Remote Code Execution. A ... — Facebook · 2026-02-13
Critical WordPress Plugin Flaw Exposes 900000+ Sites to Remote Code Execution . A newly disclosed critical vulnerability in the WPvivid Backup &... - Critical vulnerability in WPvivid backup plugin allows remote code execution — Scworld · 2026-02-13
Bleeping Computer reports that a critical vulnerability in the WPvivid Backup & Migration plugin, affecting over 900,000 WordPress websites, has been discovered. This flaw allows unauthenticated attac… - Nearly a million WordPress websites could be at risk from this serious plugin security flaw — Techradar · 2026-02-13
Exploitation requires “receive backup from another site” option enabled, with 24-hour attack window; Patch released in version 0.9.123 (Jan 28); ... - Nearly One Million WordPress Sites at Risk from Plugin Flaw - RS Web Solutions (RSWEBSOLS) — Rswebsols · 2026-02-15
WPvivid Backup & Migration Plugin Exposed to Severe RCE Vulnerability CVE-2026-1357. Critical remote code execution flaw identified in WPvivid Backup ... - Critical WordPress Backup Plugin Flaw Leaves 800,000 Sites Exposed to Remote Code Execution — Linkedin · 2026-02-15
A critical vulnerability in the WPvivid Backup plugin exposes over 800,000 WordPress sites to unauthenticated remote code execution . Discovered via Wordfence’s Bug Bounty Program, this flaw allows at… - CVE-2026-1357: WordPress Plugin RCE Exposes Sites to Full Takeover — Securityboulevard · 2026-02-17
CVE-2026-1357 exposes a critical WordPress WPvivid plugin flaw, allowing unauthenticated RCE , enabling attackers to upload PHP files and fully ... - The Week in Vulnerabilities: WordPress, BeyondTrust, and Critical ICS Bugs — Cyble · 2026-02-25
... remote code execution vulnerability affecting the WPvivid Backup & Migration plugin for WordPress. The flaw stems from improper handling of RSA ...
Timeline
- 2026-02-11 — CVE-2026-1357 published
- 2026-02-11 — First public PoC released
- 2026-02-12 — Articles published detailing the vulnerability
CVEs
Related entities
- Zero-day Exploit (Attack Type)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- T1505.003 - Web Shell (Mitre Attack)
- PHP (Platform)
- WordPress (Platform)