A serious security issue has been discovered in the popular WordPress plugin WPvivid Backup & Migration. The vulnerability affects more than 900,000 websites and could allow attackers to run harmful code on vulnerable servers. Security researchers have given this flaw a critical severity score of 9.8, which means the risk is extremely high.
The vulnerability is tracked as CVE-2026-1357, and experts are urging website owners to update the plugin immediately to prevent possible attacks.
What Is the Security Problem?
The issue comes from weak error handling and poor file sanitization when the plugin processes uploaded files. Because of this flaw, attackers may upload harmful PHP files to a website without needing any login access.
Once the file is uploaded, attackers can run commands on the server. This could allow them to control the entire website, steal data, install malware, or damage the server.
This type of attack is known as Remote Code Execution (RCE), which is considered one of the most dangerous vulnerabilities in web security.
Which Websites Are at Risk?
Not every site using the plugin is automatically exposed. The risk mainly affects websites that have the “receive backup from another site” feature enabled. This setting is commonly used when transferring backups or migrating websites.
Because many website administrators use this option during site migration, a large number of websites may still be vulnerable.
Below is a quick overview of the vulnerability.
| Detail | Information |
|---|---|
| Vulnerability ID | CVE-2026-1357 |
| Severity Score | 9.8 (Critical) |
| Affected Plugin | WPvivid Backup & Migration |
| Affected Versions | Up to 0.9.123 |
| Fixed Version | 0.9.124 |
| Risk | Remote Code Execution |
| Potential Impact | Server takeover, malware, data theft |
How the Update Fixes the Issue
The plugin developers quickly released version 0.9.124 to fix the problem. This update improves the plugin’s security in several ways.
The patch adds stronger filename sanitization, improves error handling, and restricts uploads to safe backup formats like ZIP, TAR, SQL, and GZ. These changes block attackers from uploading harmful PHP scripts.
Updating to the latest version is the most effective way to stay protected.
Why Plugin Security Matters
Plugins are one of the biggest strengths of WordPress, but they can also become security risks if not maintained properly. Many large website attacks happen through outdated plugins or themes.
When a plugin used by hundreds of thousands of sites has a vulnerability, attackers often scan the internet automatically to find and exploit those sites.
Steps Website Owners Should Take
Website administrators should take a few important steps to protect their sites:
-
Update the WPvivid plugin immediately
-
Disable unused features such as remote backup receiving
-
Review installed plugins and remove unused ones
-
Keep WordPress core, plugins, and themes updated
-
Use security monitoring tools
Regular maintenance and quick updates are essential for keeping websites secure in today’s online environment.