A high-severity security issue in the **WPvivid Backup & Migration** WordPress plugin could allow attackers to take over affected websites under certain configurations.

## The vulnerability

- **CVE:** CVE-2026-1357

- **Severity:** 9.8 (critical)

- **Affected:** versions up to **0.9.123**

- **Patched:** **0.9.124**

According to the report, the bug chain can be exploited to upload files and achieve **remote code execution (RCE)**. Researchers attribute the root causes to:

- Improper error handling when RSA decryption fails (leading to a predictable key)

- Insufficient filename sanitization, enabling **directory traversal** and writing outside intended directories

## Who is most at risk

The article notes that the most critical impact is tied to a **non-default** option: “receive backup from another site.” That said, many admins enable this feature during migrations or transfers, sometimes temporarily—creating a real-world window of exposure.

## What WordPress admins should do

- Update WPvivid to **0.9.124** (or later) immediately.

- If you don’t need cross-site backup receiving, keep it disabled.

- Review plugin settings and file upload locations; look for unexpected PHP files.

## Why it matters for web development teams

Backup/migration plugins often run with high privileges and touch the filesystem—meaning a single flaw can become a full site compromise. Keeping these plugins updated and minimizing enabled features is a straightforward risk reduction.