CVE 9.8 CRITICAL

Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload_CVE-2026-1357

February 11, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.

AI Analysis

Unauthenticated Arbitrary File Upload vulnerability due to improper error handling and lack of path sanitization in the WPvivid Backup & Migration plugin for WordPress

Basic Information

ID CVE-2026-1357

Source Wordfence

Published Feb 11, 2026 at 05:30

Affected Product

Vendor wpvividplugins

Product Migration, Backup, Staging – WPvivid Backup & Migration

Version 0.9.123

Affected Versions wpvividplugins Migration, Backup, Staging – WPvivid Backup & Migration *

CWE Classification

CWE-434

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor wpvividplugins

Product Migration, Backup, Staging – WPvivid Backup & Migration

Version 0.9.123

References

{
    "lastseen": "",
    "description": "The Migration, Backup, Staging \u2013 WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.",
    "published": "2026-02-11T05:30:11.054Z",
    "modified": "2026-02-11T05:30:11.054Z",
    "type": "cve",
    "title": "Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37?source=cve\nhttps://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid-crypt.php#L58\nhttps://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.122/includes/class-wpvivid-crypt.php#L58\nhttps://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.123/includes/class-wpvivid-crypt.php#L58\nhttps://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/customclass/class-wpvivid-send-to-site.php#L629\nhttps://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.122/includes/customclass/class-wpvivid-send-to-site.php#L629\nhttps://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.123/includes/customclass/class-wpvivid-send-to-site.php#L629\nhttps://plugins.trac.wordpress.org/changeset/3448386/wpvivid-backuprestore#file1",
    "id": "CVE-2026-1357",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "wpvividplugins Migration, Backup, Staging \u2013 WPvivid Backup & Migration *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Migration, Backup, Staging \u2013 WPvivid Backup & Migration",
    "version": "0.9.123",
    "vendor": "wpvividplugins",
    "ai_description": "Unauthenticated Arbitrary File Upload vulnerability due to improper error handling and lack of path sanitization in the WPvivid Backup & Migration plugin for WordPress",
    "ai_severity": "Critical",
    "ai_vendor": "wpvividplugins",
    "ai_product": "Migration, Backup, Staging \u2013 WPvivid Backup & Migration",
    "ai_version": "0.9.123",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply