CVE-2026-1357

CRITICAL EXPLOITED NUCLEI LAB

WPvivid Backup & Migration <0.9.123 - Unauthenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-1357 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 13 public exploits from researchers including XiaomingX, cybertechajju, adminlove520. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Description

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.

Exploits (13)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1357

This repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: WordPress site with vulnerable Quiz Maker plugin · accessible quiz page path
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 5 stars
by cybertechajju · remote
https://github.com/cybertechajju/CVE-2026-1357-POC

This repository contains a functional exploit for CVE-2026-1357, an unauthenticated RCE vulnerability in WPvivid Backup & Migration. The exploit chains a crypto fail-open bug with path traversal to upload a malicious file, demonstrating the vulnerability with post-exploitation capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration ≤ 0.9.123
No auth needed
Prerequisites: Target must have WPvivid Backup & Migration plugin installed and vulnerable version ≤ 0.9.123 · wpvivid_api_token must be generated and not expired
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, targeting the WPvivid Backup & Migration plugin for WordPress. The exploit leverages improper error handling in RSA decryption and lack of path sanitization to achieve unauthenticated arbitrary file upload, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration plugin for WordPress (versions up to and including 0.9.123)
No auth needed
Prerequisites: WordPress with vulnerable WPvivid Backup & Migration plugin installed · Plugin must have a generated key to initialize the migration listener
devstral-2 · analyzed May 08, 2026 Full analysis →
nomisec WORKING POC 4 stars
by halilkirazkaya · remote
https://github.com/halilkirazkaya/CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, targeting an unauthenticated arbitrary file upload vulnerability in WPvivid Backup & Migration plugin (≤ 0.9.123). The exploit leverages a cryptographic fail-open (null AES key) and path traversal to achieve remote code execution (RCE).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration ≤ 0.9.123
No auth needed
Prerequisites: A generated wpvivid_api_token that has not expired
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by LucasM0ntes · remote
https://github.com/LucasM0ntes/POC-CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, an unauthenticated arbitrary file upload vulnerability in WPvivid Backup & Migration plugin (versions <= 0.9.123). The exploit leverages a cryptographic fail-open flaw combined with path traversal to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration WordPress plugin <= 0.9.123
No auth needed
Prerequisites: phpseclib (v1) for local payload generation · WPvivid plugin with an active API token
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by itsismarcos · remote
https://github.com/itsismarcos/Exploit-CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, targeting a vulnerability in the WPvivid Backup plugin. The exploit leverages a null byte key decryption flaw and directory traversal to upload a malicious PHP webshell, achieving remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup plugin (versions before 0.9.124)
No auth needed
Prerequisites: Target must have the vulnerable WPvivid Backup plugin installed · Target must be accessible via HTTP/HTTPS
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, targeting WPvivid Backup & Migration plugin (≤ 0.9.123). The exploit leverages a cryptographic fail-open (null AES key) combined with path traversal to achieve unauthenticated arbitrary file upload, leading to RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration ≤ 0.9.123
No auth needed
Prerequisites: A 'Key' must have been generated in the WPvivid plugin settings and must not have expired.
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by masterwok · remote
https://github.com/masterwok/PoC-CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, targeting the WPvivid Backup & Migration plugin for WordPress. The exploit leverages improper error handling in RSA decryption and lack of path sanitization to achieve unauthenticated arbitrary file upload, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration plugin for WordPress (versions up to and including 0.9.123)
No auth needed
Prerequisites: Target must have the vulnerable WPvivid Backup & Migration plugin installed and activated · Plugin must have a generated key (initialization step)
devstral-2 · analyzed Apr 15, 2026 Full analysis →
nomisec WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-1357

This repository provides a detailed technical analysis of CVE-2026-1357, an unauthenticated RCE vulnerability in the WPvivid Backup & Migration WordPress plugin. It includes root cause analysis, patch details, and mitigation steps.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration (≤ 0.9.123)
No auth needed
Prerequisites: Receive backup feature enabled · Valid/non-expired API token
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WRITEUP
by 0xAshwesker · poc
https://github.com/0xAshwesker/CVE-2026-1357

This repository provides a detailed technical analysis of CVE-2026-1357, an unauthenticated RCE vulnerability in the WPvivid Backup & Migration WordPress plugin. It includes root cause analysis, patch details, and mitigation steps.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration ≤ 0.9.123
No auth needed
Prerequisites: Receive backup feature enabled · Valid/non-expired API token
devstral-2 · analyzed Mar 18, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, targeting a vulnerability in WPvivid Backup Plugin. The exploit generates a malicious payload using AES encryption with a null key and sends it to the target, allowing arbitrary file write and potential remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup Plugin (version not specified)
No auth needed
Prerequisites: Target must have WPvivid Backup Plugin installed and accessible · Network access to the target server
devstral-2 · analyzed Mar 11, 2026 Full analysis →
nomisec WORKING POC
by CVEs-Labs · remote
https://github.com/CVEs-Labs/CVE-2026-1357

This repository contains a functional exploit for CVE-2026-1357, targeting a cryptographic failure and directory traversal in the WPvivid WordPress plugin to achieve unauthenticated RCE via file upload. The PoC includes a Docker-based lab environment and a Python script that crafts a malicious payload to bypass authentication and upload a PHP shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Restore Plugin for WordPress (version 0.9.123)
No auth needed
Prerequisites: Docker and Docker Compose installed · Python 3 with requests and pycryptodome libraries · Target running vulnerable WPvivid plugin
devstral-2 · analyzed Mar 08, 2026 Full analysis →
nomisec WORKING POC
by rootdirective-sec · remote
https://github.com/rootdirective-sec/CVE-2026-1357-Lab

This repository contains a functional exploit PoC for CVE-2026-1357, targeting an unauthenticated RCE vulnerability in WPvivid Backup & Migration plugin versions ≤ 0.9.123. The exploit uploads a malicious payload via the 'send_to_site' action and achieves remote code execution through a webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPvivid Backup & Migration plugin for WordPress (≤ 0.9.123)
No auth needed
Prerequisites: WPvivid plugin installed and configured to receive backups · Target must be running a vulnerable version (≤ 0.9.123)
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload
CRITICALVERIFIEDby omarkurt
Shodan: http.component:"WordPress"
FOFA: body="wp-content/plugins/wpvivid-backuprestore"

References (8)

Core 8
Core References

Scores

CVSS v3 9.8
EPSS 0.1470
EPSS Percentile 94.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull wordpress:latest
docker pull wordpress:cli-2.10.0-php8.2
docker pull wordpress:6.4.3-php8.2-apache
+10 more repos

Details

VulnCheck KEV 2026-02-11
CWE
CWE-434
Status published
Products (2)
wpvividplugins/Migration, Backup, Staging – WPvivid Backup & Migration < 0.9.123
wpvividplugins/WPvivid — Backup, Migration & Staging < 0.9.123
Published Feb 11, 2026
Tracked Since Feb 18, 2026