CVE-2026-1357
Published: 11 February 2026
Summary
CVE-2026-1357 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to unauthenticated arbitrary file upload in versions up to and including 0.9.123. The flaw stems from improper error handling in RSA decryption within class-wpvivid-crypt.php combined with missing path sanitization in class-wpvivid-send-to-site.php. When openssl_private_decrypt fails, the plugin passes a boolean false value to the phpseclib AES implementation, which treats it as a null-byte key, and subsequently accepts unsanitized filenames from the decrypted payload.
Unauthenticated attackers can exploit the issue over the network by supplying a malicious payload to the wpvivid_action=send_to_site parameter. This allows encryption of arbitrary content with the predictable null-byte key, followed by directory traversal to write PHP files outside the intended backup directory, resulting in remote code execution with CVSS 9.8 severity.
The provided references consist of WordPress plugin repository links to the vulnerable code paths in versions 0.9.122 and 0.9.123 but contain no advisory statements or mitigation guidance. The EPSS score shows a material rise to a peak of 0.2242 from the current value of 0.1679, indicating increased exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5948
Vulnerability details
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with…
more
a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated arbitrary file upload with directory traversal in a public-facing WordPress plugin, enabling exploitation of public-facing applications (T1190) to deploy web shells (T1100) for remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication and authorization on the wpvivid_action=send_to_site endpoint before any file upload or decryption occurs.
Requires validation and sanitization of decrypted filename values to block directory traversal outside the intended backup directory.
Mandates secure handling of openssl_private_decrypt failures so execution terminates instead of proceeding with a false/null-byte AES key.