9.8 Critical Alert: The Flaw Threatening 900,000 WordPress Sites

A critical vulnerability has been unearthed in a ubiquitous WordPress backup plugin, facilitating the unauthorized seizure of websites without the necessity of authentication. This security flaw afflicts the WPvivid Backup & Migration extension, a tool currently deployed across more than 900,000 digital domains.

The deficiency was identified by security researcher Lucas Montes, operating under the moniker NiRoX, who disclosed his findings through the Wordfence bug bounty program. Cataloged as CVE-2026-1357, the vulnerability earned a staggering CVSS score of 9.8 out of 10. It plagues all iterations of the plugin up to and including version 0.9.123. The developers have since issued a remediation in version 0.9.124.

The defect resides within the mechanism designed to ingest backups from external sites. The plugin utilizes a feature that permits backup transfers via a specialized ephemeral key; while disabled by default and restricted to a 24-hour lifespan, an activated key allowed an adversary to circumvent decryption validation. Consequently, an antagonist could upload files containing arbitrary content. This peril was compounded by a lack of rigorous verification regarding file names and extensions, thereby paving the way for the deposition of malicious scripts within accessible server directories.

Through such scripts, an attacker could execute code on the server, attaining absolute dominion over the website. Vulnerabilities of this nature are frequently weaponized to install clandestine command modules and proliferate further adversarial activities.

Wordfence corroborated the existence of the flaw and formally notified the developers on January 22. The WPvivid team responded with commendable celerity, initiating the patching process the following day. The refined version, released on January 28, integrates mandatory decryption key validation and stringent file-type restrictions, permitting only recognized backup formats.

Subscribers to the premium Wordfence security suite received firewall rules to obstruct these incursions on January 22, while users of the free tier will receive equivalent protection following a 30-day latency period.

Administrators of WordPress sites are urged to expedite the update of the WPvivid Backup plugin to version 0.9.124 or later. This is particularly vital for those who have utilized the remote backup reception feature and generated temporary access keys.