A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress, tracked as CVE-2026-1357, is actively being exploited in the wild, enabling attackers to execute arbitrary code and potentially take full control of affected websites. This zero-day flaw, with a CVSS score of 9.8, was exploited before its public disclosure on February 11, 2026, highlighting the urgency for site administrators to address the issue immediately.
The vulnerability stems from improper error handling in the RSA decryption process, coupled with inadequate path sanitization when writing files. This allows unauthenticated attackers to upload arbitrary files to the server, leading to remote code execution (RCE). The flaw affects all versions of the plugin up to and including 0.9.123, which is widely used for site migration, backup, and staging tasks.
With eight proof-of-concept exploits already available, the threat landscape is particularly concerning for WordPress site owners relying on this plugin. The Exploit Prediction Scoring System (EPSS) rates the likelihood of exploitation at 0.150, underscoring the need for immediate attention.
Security teams are advised to prioritize patching or disabling the plugin to mitigate potential breaches. The Security Severity Vulnerability Classification (SSVC) categorizes this vulnerability as 'attend,' indicating that it requires prompt action. Given the active exploitation and the critical nature of the flaw, site administrators should verify their systems for unauthorized file uploads and ensure that all plugins are updated to the latest versions to prevent compromise.
CSURFACE