Critical RCE Vulnerability in WPvivid Backup Plugin Exposes 800,000+ WordPress Sites A severe remote code execution (RCE) vulnerability in the WPvivid Backup & Migration plugin tracked as CVE-2026-1357 (CVSS 9.8) has left over 800,000 WordPress websites vulnerable to complete takeover. The flaw, discovered by security researcher Lucas Montes (NiRoX) and reported via the Wordfence Bug Bounty Program, enables unauthenticated attackers to upload arbitrary files and execute malicious PHP code on affected sites. The vulnerability stems from improper error handling in the plugin’s RSA decryption process and missing file path sanitization. When decryption fails, the plugin passes a `false` value into the AES cipher initialization, which the crypto library interprets as a string of null bytes. This predictable key allows attackers to encrypt payloads and bypass security controls. Additionally, unsanitized filenames permit directory traversal, letting threat actors write files to publicly accessible locations outside the backup directory. Exploitation occurs via the `wpvivid_action=send_to_site` parameter, which attackers can abuse to upload and execute arbitrary PHP files, leading to full site compromise. While the most critical exposure affects sites with the remote backup feature enabled (disabled by default and limited to a 24-hour key lifetime), all unpatched installations remain at risk. The vendor, WPvivid, released a patch (version 0.9.124) on January 28, 2026, after being notified on January 22. The fix introduces an empty check for decryption failures and enforces strict file extension validation to block malicious uploads. Wordfence deployed a firewall rule for paid customers on January 22, with free users gaining protection on February 21, 2026. Montes received a $2,145 bounty for the disclosure, highlighting the role of bug bounty programs in improving WordPress plugin security. Site owners are advised to update to version 0.9.124 or later immediately to mitigate the risk.