Cyber Resilience

CVE-2026-1357

Critical

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3271 98.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1357 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to unauthenticated arbitrary file upload in versions up to and including 0.9.123. The flaw stems from improper error handling in RSA decryption within class-wpvivid-crypt.php combined with missing path sanitization in class-wpvivid-send-to-site.php. When openssl_private_decrypt fails, the plugin passes a boolean false value to the phpseclib AES implementation, which treats it as a null-byte key, and subsequently accepts unsanitized filenames from the decrypted payload.

Unauthenticated attackers can exploit the issue over the network by supplying a malicious payload to the wpvivid_action=send_to_site parameter. This allows encryption of arbitrary content with the predictable null-byte key, followed by directory traversal to write PHP files outside the intended backup directory, resulting in remote code execution with CVSS 9.8 severity.

The provided references consist of WordPress plugin repository links to the vulnerable code paths in versions 0.9.122 and 0.9.123 but contain no advisory statements or mitigation guidance. The EPSS score shows a material rise to a peak of 0.2242 from the current value of 0.1679, indicating increased exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with…

more

a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability is an unauthenticated arbitrary file upload with directory traversal in a public-facing WordPress plugin, enabling exploitation of public-facing applications (T1190) to deploy web shells (T1100) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization on the wpvivid_action=send_to_site endpoint before any file upload or decryption occurs.

prevent

Requires validation and sanitization of decrypted filename values to block directory traversal outside the intended backup directory.

prevent

Mandates secure handling of openssl_private_decrypt failures so execution terminates instead of proceeding with a false/null-byte AES key.

References