800K Sites Exposed: WPVivid Vulnerability Fix Guide

A critical vulnerability in the WPVivid Backup & Migration plugin — installed on over 800,000 WordPress sites — was disclosed in January 2026. Tracked as CVE-2026-1357 with a CVSS score of 9.8, this flaw allows unauthenticated attackers to upload arbitrary files and execute malicious code on your server.

If you use WPVivid for backups or migrations, you need to check your version immediately. This guide covers what the vulnerability is, how to determine if you’re affected, exact steps to fix it, and WP-CLI commands to audit your installation.

What Is CVE-2026-1357?

CVE-2026-1357 is an unauthenticated arbitrary file upload vulnerability discovered in WPVivid Backup & Migration versions 0.9.123 and earlier. The vulnerability was reported to the WPVivid team on January 22, 2026, and a patched version (0.9.124) was released on January 28, 2026.

How the Exploit Works

The vulnerability exists in the plugin’s backup transfer functionality. When WPVivid attempts to decrypt a session key using RSA and the decryption fails, the plugin does not stop execution. Instead, it passes a false value into the AES cipher initialization routine.

The crypto library interprets this false value as a string of null bytes, creating a predictable encryption key. An attacker can encrypt a malicious PHP payload using this null-byte key, then upload it through the wpvivid_action=send_to_site parameter — all without any authentication.

Once uploaded, the attacker simply visits the uploaded PHP file in a browser to execute arbitrary code. This leads to full site compromise: database access, file manipulation, user data theft, backdoor installation, and complete server takeover.

CVSS 9.8 — Why This Is Critical

The Common Vulnerability Scoring System rates this at 9.8 out of 10 for several reasons:

• No authentication required — Any internet user can attempt the exploit
• Remote execution — Attackable from anywhere, no physical or network access needed
• Full impact — Complete confidentiality, integrity, and availability compromise
• Low complexity — The attack requires no special conditions or user interaction

Are You Affected? How to Check

Not every WPVivid installation is equally at risk. The exploit specifically targets the “receive a backup from another site” feature. Here’s how to determine your exposure level.

Check Your WPVivid Version

The most important step is confirming which version you’re running.

From the WordPress dashboard:

1. Go to Plugins → Installed Plugins
2. Find “Migration, Backup, Staging – WPvivid”
3. Check the version number below the plugin name
4. If it shows 0.9.123 or lower, you are vulnerable

Using WP-CLI (for multiple sites):

# Check WPVivid version on a single site
wp plugin list --name=wpvivid-backuprestore --fields=name,version,status

# Check across all sites on a multisite network
wp site list --field=url | xargs -I {} wp plugin list --name=wpvivid-backuprestore --fields=name,version,status --url={}

Check If the Vulnerable Feature Is Active

The exploit requires the “receive backup” transfer key to be active. This feature is disabled by default and the generated key expires within 24 hours. If you’ve never used WPVivid’s site-to-site transfer, your risk is lower — but you should still update.

To check:

1. Open WPVivid in your dashboard
2. Navigate to the Auto-Migration or Transfer tab
3. Look for any active transfer keys
4. If a key exists, revoke it immediately before updating

Check for Signs of Compromise

If you were running a vulnerable version with an active transfer key, check for suspicious activity:

# Look for recently modified PHP files in uploads
find wp-content/uploads -name "*.php" -mtime -30 -ls

# Check for unknown files in the WPVivid directory
ls -la wp-content/plugins/wpvivid-backuprestore/

# Search for common webshell signatures
grep -rn "eval(base64_decode" wp-content/uploads/
grep -rn "system(\$_" wp-content/
grep -rn "exec(\$_GET" wp-content/

# Check access logs for the exploit endpoint
grep "wpvivid_action=send_to_site" /var/log/apache2/access.log
grep "wpvivid_action=send_to_site" /var/log/nginx/access.log

How to Fix It: Step-by-Step

Follow these steps in order. If you manage multiple WordPress sites, use the WP-CLI commands to batch the process.

1. Update WPVivid Immediately

Dashboard method:

1. Go to Dashboard → Updates
2. Find WPVivid in the plugin updates list
3. Click Update Now
4. Verify the version shows 0.9.124 or higher

WP-CLI method:

# Update WPVivid
wp plugin update wpvivid-backuprestore

# Verify the update
wp plugin list --name=wpvivid-backuprestore --fields=name,version,update_available

2. Revoke Any Active Transfer Keys

Even after updating, revoke any existing transfer keys as a precaution. Go to the WPVivid Transfer/Auto-Migration tab and remove all generated keys.

3. Scan for Uploaded Malicious Files

Run a thorough scan to ensure no malicious files were uploaded before the patch:

# Scan for PHP files in non-PHP directories
find wp-content/uploads -type f -name "*.php" -o -name "*.phtml" -o -name "*.php5"

# Check WordPress core file integrity
wp core verify-checksums

# Verify plugin file integrity
wp plugin verify-checksums --all

# List any recently created admin users
wp user list --role=administrator --fields=ID,user_login,user_registered --format=table

4. Review Server Access Logs

Search your web server access logs for any requests targeting the exploit endpoint:

# Apache
grep -i "wpvivid_action" /var/log/apache2/access.log | grep -i "send_to_site"

# Nginx
grep -i "wpvivid_action" /var/log/nginx/access.log | grep -i "send_to_site"

# If using cPanel/Plesk, check domain-specific logs
grep -i "wpvivid_action" ~/access-logs/yourdomain.com

If you find matching entries, your site may have been targeted. Review the source IPs, check if any PHP files were created in the timeframe, and consider a full malware scan.

Wordfence Protection Timeline

Wordfence responded quickly to this vulnerability:

• January 22, 2026 — Vulnerability reported; Wordfence Premium/Care/Response firewall rule deployed
• January 28, 2026 — WPVivid released patched version 0.9.124
• February 21, 2026 — Free Wordfence users receive the firewall rule

If you’re running Wordfence Free, you won’t have firewall protection against this specific exploit until February 21. The plugin update is your only protection right now. Consider upgrading to a premium WordPress security plugin for faster firewall rule deployment.

WP-CLI Audit Script for Multiple Sites

If you manage multiple WordPress installations, here’s a complete audit script:

#!/bin/bash
# WPVivid Vulnerability Audit Script
# Run from the parent directory containing your WordPress installations

echo "=== WPVivid CVE-2026-1357 Audit ==="
echo "Date: $(date)"
echo ""

for site in */; do
  if [ -f "${site}wp-config.php" ]; then
    echo "--- Checking: $site ---"
    
    # Check if WPVivid is installed
    version=$(wp plugin list --name=wpvivid-backuprestore --fields=version --format=csv --path="$site" 2>/dev/null | tail -1)
    
    if [ -n "$version" ] && [ "$version" != "version" ]; then
      echo "  WPVivid version: $version"
      
      # Compare versions
      if [ "$(printf '%s\n' "0.9.124" "$version" | sort -V | head -1)" != "0.9.124" ]; then
        echo "  STATUS: VULNERABLE - Update required!"
      else
        echo "  STATUS: Patched"
      fi
      
      # Check for suspicious PHP files in uploads
      php_count=$(find "${site}wp-content/uploads" -name "*.php" 2>/dev/null | wc -l)
      echo "  PHP files in uploads: $php_count"
      
    else
      echo "  WPVivid: Not installed"
    fi
    echo ""
  fi
done

Hardening Your WordPress Installation Against Similar Attacks

This vulnerability highlights broader security practices every WordPress site owner should follow. Adding these to your WordPress maintenance checklist will reduce your attack surface.

Block PHP Execution in Uploads

Even if an attacker uploads a PHP file to your uploads directory, you can prevent it from executing. Add this to your .htaccess file in wp-content/uploads/:

# wp-content/uploads/.htaccess

  Order Deny,Allow
  Deny from all

For Nginx servers, add this to your server block:

location ~* /wp-content/uploads/.*\.php$ {
  deny all;
}

Enable Automatic Plugin Updates

For security-critical plugins, enable auto-updates to get patches as soon as they’re released:

# Enable auto-updates for specific plugins
wp plugin auto-updates enable wpvivid-backuprestore
wp plugin auto-updates enable wordfence

# Or enable for all plugins
wp plugin auto-updates enable --all

Monitor File Changes

Set up file integrity monitoring to catch unauthorized changes early. WordPress security plugins like Wordfence include this feature, or you can use a simple cron-based approach:

# Create a baseline of your WordPress files
find /path/to/wordpress -type f -name "*.php" -exec md5sum {} \; > /root/wp-baseline.md5

# Compare against baseline (run daily via cron)
md5sum -c /root/wp-baseline.md5 2>/dev/null | grep FAILED

Limit Plugin Permissions

Review which plugins have file write access. Backup plugins need it by design, but you can reduce risk by:

• Using remote backup storage (S3, Google Drive) instead of local server storage
• Disabling features you don’t use — if you don’t need site-to-site transfer, keep it disabled
• Setting DISALLOW_FILE_EDIT in wp-config.php to prevent file editing from the dashboard
• Using DISALLOW_FILE_MODS on production sites where you deploy via CI/CD

// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);

// For production sites with CI/CD deployment
define('DISALLOW_FILE_MODS', true);

What to Do If You Were Compromised

If your logs show evidence of exploitation, take these steps immediately:

1. Take the site offline — Put up a maintenance page while you clean up
2. Change all passwords — WordPress admin, database, FTP/SSH, hosting panel
3. Delete unknown admin accounts — Check wp user list --role=administrator
4. Reinstall WordPress core — wp core download --force
5. Reinstall all plugins — wp plugin install --force for each plugin
6. Remove suspicious files — Delete any PHP files in uploads and unknown files in wp-content
7. Scan with Wordfence or Sucuri — Run a full malware scan
8. Restore from clean backup — If available, restore from a backup taken before the vulnerability window
9. Update WordPress salts — wp config shuffle-salts to invalidate all sessions
10. Monitor for 30 days — Attackers often plant persistent backdoors that survive initial cleanup

Key Takeaways

• CVE-2026-1357 affects WPVivid Backup versions 0.9.123 and below — update to 0.9.124+ immediately
• The exploit requires the “receive backup” transfer feature to be active, but update regardless
• Free Wordfence users won’t have firewall protection until February 21 — the plugin update is your only defense
• Use the WP-CLI commands in this guide to audit all your sites quickly
• Block PHP execution in your uploads directory as a general hardening measure
• Enable auto-updates for security-critical plugins to get patches faster

WordPress security is an ongoing process. This vulnerability is a reminder that even popular, well-maintained plugins can have critical flaws. Stay updated, monitor your sites, and always have a clean backup ready.

Plugin Vulnerability Security Hardening WPCLI WPVivid

Last modified: February 16, 2026