800K Sites Exposed: WPVivid Vulnerability Fix Guide

A critical vulnerability in the WPVivid Backup & Migration plugin, installed on over 800,000 WordPress sites, was disclosed in January 2026. Tracked as CVE-2026-1357 with a CVSS score of 9.8, this flaw allows unauthenticated attackers to upload arbitrary files and execute malicious code on your server.

If you use WPVivid for backups or site migration, you need to check your version immediately. This guide covers what the vulnerability is, how to determine if you’re affected, exact steps to fix it, and WP-CLI commands to audit your installation.

What Is CVE-2026-1357?

CVE-2026-1357 is an unauthenticated arbitrary file upload vulnerability discovered in WPVivid Backup & Migration versions 0.9.123 and earlier. The vulnerability was reported to the WPVivid team on January 22, 2026, and a patched version (0.9.124) was released on January 28, 2026.

How the Exploit Works

The vulnerability exists in the plugin’s backup transfer functionality. When WPVivid attempts to decrypt a session key using RSA and the decryption fails, the plugin does not stop execution. Instead, it passes a false value into the AES cipher initialization routine.

The crypto library interprets this false value as a string of null bytes, creating a predictable encryption key. An attacker can encrypt a malicious PHP payload using this null-byte key, then upload it through the wpvivid_action=send_to_site parameter, all without any authentication.

Once uploaded, the attacker simply visits the uploaded PHP file in a browser to execute arbitrary code. This leads to full site compromise: database access, file manipulation, user data theft, backdoor installation, and complete server takeover.

CVSS 9.8, Why This Is Critical

The Common Vulnerability Scoring System rates this at 9.8 out of 10 for several reasons:

• No authentication required, Any internet user can attempt the exploit
• Remote execution, Attackable from anywhere, no physical or network access needed
• Full impact, Complete confidentiality, integrity, and availability compromise
• Low complexity, The attack requires no special conditions or user interaction

Are You Affected? How to Check

Not every WPVivid installation is equally at risk. The exploit specifically targets the “receive a backup from another site” feature. Here’s how to determine your exposure level.

Check Your WPVivid Version

The most important step is confirming which version you’re running.

From the WordPress dashboard:

1. Go to Plugins → Installed Plugins
2. Find “Migration, Backup, Staging – WPvivid”
3. Check the version number below the plugin name
4. If it shows 0.9.123 or lower, you are vulnerable

Using WP-CLI (for multiple sites):

Check If the Vulnerable Feature Is Active

The exploit requires the “receive backup” transfer key to be active. This feature is disabled by default and the generated key expires within 24 hours. If you’ve never used WPVivid’s site-to-site transfer, your risk is lower, but you should still update.

To check:

1. Open WPVivid in your dashboard
2. Navigate to the Auto-Migration or Transfer tab
3. Look for any active transfer keys
4. If a key exists, revoke it immediately before updating

Check for Signs of Compromise

If you were running a vulnerable version with an active transfer key, check for suspicious activity:

How to Fix It: Step-by-Step

Follow these steps in order. If you manage multiple WordPress sites, use the WP-CLI commands to batch the process.

1. Update WPVivid Immediately

Dashboard method:

1. Go to Dashboard → Updates
2. Find WPVivid in the plugin updates list
3. Click Update Now
4. Verify the version shows 0.9.124 or higher

WP-CLI method:

2. Revoke Any Active Transfer Keys

Even after updating, revoke any existing transfer keys as a precaution. Go to the WPVivid Transfer/Auto-Migration tab and remove all generated keys.

3. Scan for Uploaded Malicious Files

Run a thorough scan to ensure no malicious files were uploaded before the patch:

4. Review Server Access Logs

Search your web server access logs for any requests targeting the exploit endpoint:

If you find matching entries, your site may have been targeted. Review the source IPs, check if any PHP files were created in the timeframe, and consider a full malware scan.

Wordfence Protection Timeline

Wordfence responded quickly to this vulnerability:

• January 22, 2026, Vulnerability reported; Wordfence Premium/Care/Response firewall rule deployed
• January 28, 2026, WPVivid released patched version 0.9.124
• February 21, 2026, Free Wordfence users receive the firewall rule

If you’re running Wordfence Free, you won’t have firewall protection against this specific exploit until February 21. The plugin update is your only protection right now. Consider upgrading to a premium WordPress security plugin for faster firewall rule deployment.

WP-CLI Audit Script for Multiple Sites

If you manage multiple WordPress installations, here’s a complete audit script:

Hardening Your WordPress Installation Against Similar Attacks

This vulnerability highlights broader security practices every WordPress site owner should follow. Adding these to your WordPress maintenance checklist will reduce your attack surface.

Block PHP Execution in Uploads

Even if an attacker uploads a PHP file to your uploads directory, you can prevent it from executing. Add this to your .htaccess file in wp-content/uploads/:

For Nginx servers, add this to your server block:

Enable Automatic Plugin Updates

For security-critical plugins, enable auto-updates to get patches as soon as they’re released:

Monitor File Changes

Set up file integrity monitoring to catch unauthorized changes early. WordPress security plugins like Wordfence include this feature, or you can use a simple cron-based approach:

Limit Plugin Permissions

Review which plugins have file write access. Backup plugins need it by design, but you can reduce risk by:

• Using remote backup storage (S3, Google Drive) instead of local server storage
• Disabling features you don’t use, if you don’t need site-to-site transfer, keep it disabled
• Setting DISALLOW_FILE_EDIT in wp-config.php to prevent file editing from the dashboard
• Using DISALLOW_FILE_MODS on production sites where you deploy via CI/CD

What to Do If You Were Compromised

If your logs show evidence of exploitation, take these steps immediately:

1. Take the site offline, Put up a maintenance page while you clean up
2. Change all passwords, WordPress admin, database, FTP/SSH, hosting panel
3. Delete unknown admin accounts, Check wp user list --role=administrator
4. Reinstall WordPress core, wp core download --force
5. Reinstall all plugins, wp plugin install --force for each plugin
6. Remove suspicious files, Delete any PHP files in uploads and unknown files in wp-content
7. Scan with Wordfence or Sucuri, Run a full malware scan
8. Restore from clean backup, If available, restore from a backup taken before the vulnerability window
9. Update WordPress salts, wp config shuffle-salts to invalidate all sessions
10. Monitor for 30 days, Attackers often plant persistent backdoors that survive initial cleanup

Key Takeaways

• CVE-2026-1357 affects WPVivid Backup versions 0.9.123 and below, update to 0.9.124+ immediately
• The exploit requires the “receive backup” transfer feature to be active, but update regardless
• Free Wordfence users won’t have firewall protection until February 21, the plugin update is your only defense
• Use the WP-CLI commands in this guide to audit all your sites quickly
• Block PHP execution in your uploads directory as a general hardening measure
• Enable auto-updates for security-critical plugins to get patches faster

WordPress security is an ongoing process. This vulnerability is a reminder that even popular, well-maintained plugins can have critical flaws. Stay updated, monitor your sites, and always have a clean backup ready.

Plugin Vulnerability Security Hardening WPCLI WPVivid

Last modified: March 26, 2026