CVE-2026-1357
Published: 11 February 2026
Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with…
more
a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
Mitigating Controls (NIST 800-53 r5)AI
SI-11 requires secure error handling that would halt execution on openssl_private_decrypt() failure, preventing the false value from being passed as a null-byte key to AES initialization.
SI-10 mandates validation and sanitization of input filenames from decrypted payloads, blocking directory traversal and arbitrary PHP file uploads.
SI-2 ensures timely flaw remediation by patching the WPvivid plugin versions up to 0.9.123 to fix the decryption error handling and path sanitization issues.
Security SummaryAI
CVE-2026-1357 is an unauthenticated arbitrary file upload vulnerability in the Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress, affecting versions up to and including 0.9.123. The issue stems from improper error handling in the RSA decryption process within the plugin's cryptography functions, where a failure in openssl_private_decrypt() does not halt execution and instead passes a boolean false value to the phpseclib library's AES cipher initialization. The library interprets this false as a string of null bytes, enabling attackers to encrypt malicious payloads with a predictable null-byte key. Additionally, the plugin fails to sanitize filenames from the decrypted payload, allowing directory traversal beyond the protected backup directory.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges by leveraging the wpvivid_action=send_to_site parameter. By crafting a payload that exploits the decryption flaw and path traversal, they can upload arbitrary PHP files to publicly accessible directories on the target WordPress site, resulting in remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Code references in the WordPress plugin trac repository highlight the flawed decryption logic in class-wpvivid-crypt.php at line 58 and the unsanitized file handling in class-wpvivid-send-to-site.php at line 629 across vulnerable tags 0.9.122 and 0.9.123, as well as the trunk version.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated arbitrary file upload with directory traversal in a public-facing WordPress plugin, enabling exploitation of public-facing applications (T1190) to deploy web shells (T1100) for remote code execution.