Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
Published: 2026-02-11
Score: 9.8 Critical
EPSS: 22.4% Moderate
KEV: No
Impact: Remote Code Execution via arbitrary file upload
Action: Immediate Patch
AI Analysis

Impact

The WPvivid Backup & Migration plugin for WordPress implements an authentication‑free file upload feature that is exposed through the wpvivid_action=send_to_site parameter. When a session key fails to decrypt, the decryption routine propagates a boolean false value to an AES cipher it initializes, and the cipher treats that as a string of null bytes. An attacker can encrypt a malicious payload with a predictable null‑byte key, upload it, and the plugin writes the file to disk without sanitizing directory traversal characters in the supplied filename. The result is the ability for an unauthenticated actor to place an executable PHP file in a publicly reachable location and execute arbitrary PHP code against the site, effectively compromising the entire WordPress installation.

Affected Systems

All installations of the WPvivid Backup & Migration WordPress plugin running any version up to and including 0.9.123 are affected. The vulnerability is present in all releases of the plugin up to that point, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 9.8 illustrates a critical severity, and an EPSS score of 22% indicates a relatively high likelihood of exploitation in the real world. Because authentication is not required and the attack can be performed from the public web interface, any site with this plugin enabled is directly vulnerable. The vulnerability is not currently listed in CISA’s KEV catalog, but the immediacy of the RCE risk warrants urgent remedial action. Exploiting the flaw requires only knowledge of the upload endpoint and ability to craft a compatible encrypted payload, conditions that are readily met by automated scanning tools or malicious actors.

Generated by OpenCVE AI on April 22, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPvivid Backup & Migration to a version newer than 0.9.123 where the decryption failure path is altered and file path sanitization is enforced.
  • If an immediate plugin update is not feasible, temporarily disable the wpvivid_action=send_to_site endpoint by removing or restricting that specific action hook, or by blocking its URL in web‑application firewall rules.
  • Ensure the backup directories are not world‑writable and that PHP execution is disabled in those directories via .htaccess or server configuration, thereby preventing uploaded files from being executed even if a file is placed there.

Generated by OpenCVE AI on April 22, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpvividplugins
Wpvividplugins migration Backup Staging Wpvivd Backup And Migration
Vendors & Products Wordpress
Wordpress wordpress
Wpvividplugins
Wpvividplugins migration Backup Staging Wpvivd Backup And Migration

Wed, 11 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
Title Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpvividplugins Migration Backup Staging Wpvivd Backup And Migration
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:56.152Z

Reserved: 2026-01-22T20:12:20.756Z

Link: CVE-2026-1357

cve-icon Vulnrichment

Updated: 2026-02-11T15:46:31.502Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T06:15:51.677

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses