900,000 Vulnerable WordPress Sites Identified Due to Plugin Flaw

A critical vulnerability was identified in the WPvivid Backup & Migration plugin, which is used on over 900,000 WordPress sites globally. This flaw, classified as CVE-2026-1357, received a maximum score of 9.8 on a scale from 0 to 10, indicating its high potential risk.

The WPvivid plugin is an essential tool for backing up and migrating WordPress sites, allowing users to perform backups and transfer data between servers. However, the flaw exposes the sites to attacks due to the possibility of Remote Code Execution (RCE), enabling attackers to execute malicious commands without authentication.

With this type of vulnerability, cybercriminals can take full control of an affected site. According to security experts, this situation jeopardizes the integrity and confidentiality of the data stored on the sites.

Understanding the Attack

The vulnerability was discovered by researcher Lucas Montes and reported to Defiant, a company specializing in security for WordPress, on January 12. The flaw affects all versions of the plugin up to 0.9.123 and results from a combination of coding errors.

The vulnerability activates during the use of the "receive backup from another site" feature, which is typically enabled during site migrations. The flaw lies in the inadequate validation of encrypted data received, allowing an attacker to send commands that the plugin does not properly validate.

When the RSA decryption fails, the plugin does not halt execution as it should, creating a predictable encryption key. This allows attackers to issue malicious files that are accepted as legitimate, exploiting the absence of validation in the filenames.

Complete Site Compromise

Once the malicious file is uploaded to the server, the attacker can easily access it through the browser. In WordPress, PHP files are executable, meaning that when accessed, the server automatically executes the commands contained within.

With an accessible malicious PHP file, the hacker takes control of the site, potentially stealing data, modifying content, creating administrative accounts, and installing backdoors, which are means of re-entry for future attacks. Defiant’s researchers emphasize that such a vulnerability can enable complete takeover of the site.

Factors Limiting Exploitation

Although the severity of the vulnerability is high, there are restrictions that may limit its widespread exploitation. The main one is that the vulnerable functionality is not enabled by default on sites. Additionally, when enabled, the access key generated by the plugin remains valid for only 24 hours.

However, experts believe that these limitations are insufficient to eliminate the risk. Administrators may enable the vulnerable feature while performing migrations, thus creating windows of opportunity for attacks.

Patch Available

Defiant notified the plugin developer, WPVividPlugins, about the vulnerability on January 22. A patch was promptly made available in version 0.9.124, released on January 28.

The new version implements additional security measures. Improvements include strict validation of received data, fixing the decryption flaw, and restricting the types of files allowed for upload, preventing the inclusion of PHP files that may contain malicious code.

Experts recommend that all users of WPvivid Backup & Migration update immediately to version 0.9.124. Given that many sites remain vulnerable, the likelihood that attackers will use automated scripts to exploit outdated sites is high.

To check the installed version of the plugin, it is advisable to access the WordPress admin panel, go to the "Plugins" section, and look for "WPvivid". If the version is 0.9.123 or earlier, the update should be carried out immediately.

To receive more updates on security and technology, follow TecMundo on social media and subscribe to our newsletter and YouTube channel.