CVE-2026-1357: Critical RCE in WPvivid Affects 900,000 WordPress Sites
CVE-2026-1357 is a critical unauthenticated remote code execution vulnerability in WPvivid Backup and Migration, a plugin installed on over 900,000 WordPress sites. CVSS score: 9.8. Update immediately.
Vulnerability Overview
CVE-2026-1357 is a critical remote code execution (RCE) vulnerability in the WPvivid Backup and Migration plugin for WordPress. At the time of disclosure, the plugin had an active install base of over 900,000 sites, making this one of the most significant WordPress plugin vulnerabilities of 2026 by potential impact.
CVSS Score: 9.8 (Critical)
Authentication Required: None
Access Required: Unauthenticated (no account needed)
What the Vulnerability Allows
The vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the web server hosting the affected WordPress installation. This means an attacker does not need to log in to your site, does not need any user account, and does not need to know your admin credentials. They only need to be able to send an HTTP request to your site.
Successful exploitation gives the attacker the same level of access as your web server process, which on most shared and managed hosting environments means they can read site files, write new files, access your WordPress database, and pivot to other sites hosted under the same account.
How to Check if You Are Affected
Log in to your WordPress admin panel and navigate to Plugins. Search for "WPvivid Backup" or "WPvivid." If the plugin is installed, check the version number. Any version prior to the patched release is vulnerable. The patched version was released within 48 hours of the CVE disclosure.
Immediate Action Required
If you are running an affected version, update WPvivid immediately. If you cannot update for any reason, deactivate and delete the plugin until you are able to apply the patch. A deactivated but installed plugin can still be exploited through direct file access in some server configurations, so deletion is the safer option if you cannot update.
Broader Lesson: Backup Plugins Are High-Value Targets
Backup plugins have broad filesystem access by design. They need to read every file on your site in order to create complete backups. This makes them particularly valuable targets for attackers. A vulnerability in a backup plugin with filesystem read access can expose your entire site, including configuration files, database credentials, and encryption keys. Keep backup plugins updated as a top priority.
