—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Arbitrary File Upload Vulnerability in WPvivid Backup & Migration WordPress Plugin

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

WordPress Plugin WPvivid Backup & Migration versions 0.9.123 Sand prior

Overview

A vulnerability has been reported in WPvivid Backup & Migration plugin for WordPress which could allow an attacker to execute arbitrary code on the target system.

Target Audience:

WordPress website owners, administrators, developers, and hosting providers using WPvivid Backup & Migration plugin.

Risk Assessment:

Very high risk of remote code execution.

Impact Assessment:

Potential for complete system compromise.

Description

WPvivid Backup & Migration is a WordPress plugin used to back up, restore, migrate, and stage websites for easy site management and recovery.

This vulnerability exists in WPvivid Backup & Migration plugin of WordPress due to improper error handling in the RSA decryption process. An attacker could exploit this vulnerability by enticing the user to execute a specially crafted PHP file to a public directory.

Successful exploitation of this vulnerability could allow the attacker to execute arbitrary file leading to complete system compromise.

Solution

Apply appropriate updates as mentioned:

https://wordpress.org/plugins/wpvivid-backuprestore

Vendor Information

WordPress

https://wordpress.org

References

 

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpvivid-backuprestore/migration-backup-staging-09123-unauthenticated-arbitrary-file-upload

CVE Name

CVE-2026-1357

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmPOd0ACgkQ3jCgcSdc

ys8ovw/9Ef6SfOVXbJPMgEFFAx0tvyvLedZ2s/W+iH0AHJjFtf2cMN51cpeN+90C

mTqBtPBcqRKYrpeORGoTeomZYPD3MrWN5FX84QaKfAGDrXQA+eHVgIYJnQuSULnd

1hWm+DCWmfdDtMD93LQwIpPvEuHUlpjuXDBr2pE0o6jvizuD/KDiVlFMMg9mwSzD

OHUZdyKSxjAkFoQATQlcIbeunEk494odLGV5rwXOPd6FtKOh0ZsIELwrmjfzjYkr

Ew9kg23Qgq5KPPcPOK00qh1ajtx6KzAYZs5sK2zy45rDuKTjzJ6tvd005AsYoGat

4XUarQuien7cSRhbv9SIHq6ABHYPtBGky95+l+aNW67MuewJc91rlmloOQaj0iAl

RuywW6DjHds46GCEBxA1ydTHSKKU17HAnlpanBdvxqv0JrhKa98dUz8c3MXJ7ny5

sLdD7j3ap8RJdX7rlnf/yv5IVbEA/XDi12XeJUWj6I/DDwh1aBpavBd3e0x3aSuW

fUHrczHBZy/M8YPSRnHts87w+0EYBxaejEZHx4ChImoG0cuDq2AVcydzdH6V/ldD

s+1ALg2zcHE2PjMYuQj4cryLzl8DUHWs05XgziWo3rh2UcWX4SALCfTJsP1dqZSj

eRa3FYTK2HP9t4QS4tInoaHmpt6FBLTV2NLSfQkSpFrAlYArVjM=

=BmQw

—–END PGP SIGNATURE—–