A newly disclosed critical security vulnerability in the WPvivid Backup & Migration plugin for WordPress, installed on more than 900,000 websites worldwide, could allow unauthenticated attackers to execute arbitrary code on vulnerable sites, potentially compromising entire servers. The flaw, tracked as CVE-2026-1357, has earned a high severity score of 9.8, prompting urgent warnings from security researchers and calls for immediate patching.
Security analysts say the vulnerability stems from improper error handling and insufficient sanitization when processing uploaded files, creating an opening for attackers to upload arbitrary PHP files without authentication. If exploited, this could let malicious actors run arbitrary commands on affected servers and take full control of a compromised WordPress installation.
Although the flaw impacts all versions up to 0.9.123, the exposure depends on the plugin’s configuration. Researchers note that only sites with the “receive backup from another site” option enabled, are critically at risk. It is a setting used during migrations and backup transfers.
However, that feature is commonly used in real-world operations, meaning many sites remain exposed.
Security teams stress that site administrators should update the plugin as soon as possible, since the developers have already released a fix in version 0.9.124. The patch corrects the error handling logic, adds proper filename sanitization, and restricts uploads to safe backup formats, such as ZIP, TAR, SQL and GZ. Administrators are strongly encouraged to apply the update immediately to prevent exploitation.
For WordPress, third-party plugins continue to be a top attack vector, where vulnerabilities can expose large swathes of sites to automated and targeted threats if left unpatched. Similar critical flaws in other plugins in recent years have led to widespread site compromise and underscore the need for vigilant patch management practices.
Failing to update could open the door to a range of malicious activity, from data theft and malware distribution to complete site takeover.
WordPress site operators are advised not only to patch this plugin but to regularly review all third-party extensions and themes for security updates as part of a robust defense strategy.