WPvid Critical Alert: CVE-2026-1357 allows you to upload files and run code without authentication

A critical failure in the popular WPvid Backup & Migration plugin for WordPress, present in more than 900,000 sites, allowed an attacker to upload arbitrary files without authentication and, under certain conditions, run remote code on the server. The problem has been listed as CVE-2026-1357 and received a severity score of 9.8 on the common scale of vulnerabilities. It affected all the versions before the 0.9.124 and, if not corrected, could lead to the complete taking of a website.

Although the "critic" label sounds alarming, researchers who analyzed the failure explain that the practical operation requires that an option not activated by default be enabled: the functionality that allows one site to "receive backup from another site." This reduces the attack surface, but does not eliminate it: many administrators temporarily activate that option during migrations or host transfers, so the actual exposure can be significant when it appears in maintenance or migration environments.

From a technical point of view, vulnerability combined two errors: incorrect error management during RSA decryption and lack of sanitation in uploaded file names. When calling the function openssl _ private _ decrypt () It failed, the plugin did not stop the execution and continued to use the wrong result (a boolean value fails) as seed for the routine AES. In practice, the cryptographic bookstore interpreted that value as a chain of null bytes, which made the resulting key predictable and allowed an attacker to prepare encrypted loads that the plugin would accept. In addition, without cleaning the file names, it was possible to make a directories jump (path traversal) and write files out of the folder intended for copies, including malicious PHP scripts that could then be run on the server.

The researcher known as Lucas Montes (NiRoX) reported the problem to the company responsible for the plugin on 12 January. After validation of a concept test, the supplier was officially informed and a solution was published in the version 0.9.124 of the plugin on January 28. The patch adds a check to stop the execution if the RSA decryption fails, incorporates file name consolidation and restricts the types of files allowed for backup to secure and expected formats such as ZIP, GZ, TAR and SQL.

If you want to check the official entry of the vulnerability register, the tab in the national vulnerability database is available in the NVD: CVE-2026-1357 in NVD. To view the plugin page and its history in the official WordPress repository, you can go to your tab on WordPress.org: WPvid Backup & Migration on WordPress.org. If you want to review PHP documentation on the role involved in the problem, the official reference is in the PHP manual: openssl _ private _ decrypt (). To understand why directory leaps are dangerous, OWASP offers a practical explanation for this kind of attack: Path Traversal (OWASP).

What should administrators and managers do about WordPress sites? First of all, update the plugin to version 0.9.124 as soon as possible: that is the most direct measure to close this path of attack. If for any reason you can't update immediately, check if you have the option to "get backup from another site" and disable it if you don't need it. It is also appropriate to audit the system in search of suspicious files, to review the records of the web server to detect abnormal ups or accesses in the indicated time window and, in case of doubt, to restore from a known and clean backup.

This incident is a good lesson about how cryptographic error treatment and input validation failures can be combined to cause serious risks. The poorly managed cryptography can generate predictable keys, and the lack of sanitation on file routes opens the door to write where it is not due; together, these weaknesses offer an attacker a direct path to remote code execution. It is therefore important not only to trust that a bookstore "blocks" the error, but also to explicitly check returns and strictly validate any data that comes from outside.

In short, if your site uses WPvid Backup & Migration: already updated to 0.9.124, check whether you activated the backup reception option and, if the damaged functionality was used, perform a comprehensive review of the system. Maintaining up-to-date copy and migration plugins with appropriate permits and controls is essential to prevent a maintenance operation from becoming a security gap.