A critical vulnerability has been disclosed in the **WPvivid Backup & Migration** WordPress plugin (installed on 900k+ sites), tracked as **CVE-2026-1357**.

### What happened

- The flaw can allow attackers to upload arbitrary files and achieve **remote code execution (RCE)**.

- According to Defiant’s analysis, the biggest risk applies when a non-default feature, **“receive backup from another site,”** is enabled.

### How exploitation works (high level)

- An RSA decryption error path doesn’t stop execution; the failure value can become a predictable key in subsequent crypto handling.

- Missing filename sanitization enables **directory traversal**, letting attackers write files outside the intended folder and potentially upload malicious PHP.

### Impact

If exploitable on a given site, successful RCE can mean full compromise: webshells, credential theft, SEO spam, redirects, and lateral movement through hosting environments.

### What site owners should do

- **Update to WPvivid 0.9.124** or later (the fix release noted in the report).

- If you used “receive backup from another site,” disable it when not needed.

- Review web server logs and file integrity; monitor for unexpected PHP uploads in writable directories.

**Source:** BleepingComputer coverage citing Defiant and the CVE (linked below).