Attackers can take over entire sites thanks to a vulnerability in a WordPress plugin.
A serious security flaw in the WPvivid Backup plugin for WordPress could allow attackers to execute malicious code without authentication and take over entire websites.
Serious flaw in plugin
The vulnerability (CVE-2026-1357) affects all versions of the plugin up to and including 0.9.123 and received a CVSS score of 9.8. The plugin is active on more than 900,000 WordPress sites worldwide and is widely used for backups and migrations between hosting environments, reports Bleeping Computer. Researchers from Defiant, a security firm specializing in WordPress, discovered that attackers can upload files without authentication. This allows attackers to execute remote code and even take over the entire site.
According to Defiant, sites that have the option enabled to use backups from another site are particularly vulnerable. Additionally, the attack window can last up to 24 hours, as long as a generated key remains valid. Despite these requirements, the attack poses a real risk because administrators often temporarily activate this feature during migrations or recovery actions.
Cause and solution
The core of the problem lies in incorrect error handling during decryption and the lack of filename verification. This results in a predictable encryption key that makes exploitation possible.
WPvividPlugins released a security update on January 28 in version 0.9.124. This version correctly checks for decryption errors, restricts allowed file types, and prevents writing outside the backup folder. Administrators are advised to update the plugin to version 0.9.124 immediately and check if sensitive features are enabled unnecessarily.