WordPress Plugin Vulnerabilities

Migration, Backup, Staging < 0.9.124 - Unauthenticated Arbitrary File Upload

Description

The plugin is vulnerable to Unauthenticated Arbitrary File Upload due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.

Affects Plugins

Plugin icon
wpvivid-backuprestore
Fixed in 0.9.124

References

CVE
CVE-2026-1357
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37

Miscellaneous

Original Researcher
Lucas Montes (NiRoX)
Verified
No
WPVDB ID
9973615c-7af8-44e7-8cae-8e45ccd362e6

Timeline

Publicly Published
2026-02-10 (about 3 months ago)
Added
2026-02-10 (about 3 months ago)
Last Updated
2026-05-11 (about 1 day ago)

Other

Published
Title
Published
2022-11-28
Title
SEO Plugin by Squirrly SEO < 12.1.11 - Contributor+ Arbitrary File Upload
Published
2024-11-12
Title
WooCommerce Upload Files < 84.4 - Unauthenticated Arbitrary File Upload
Published
2023-04-18
Title
OoohBoi Steroids for Elementor < 2.1.5 - Arbitrary File Upload
Published
2012-06-07
Title
MM Forms & MM Forms Community 2.2.6 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
Switchblade 1.3 - Arbitrary File Upload