On January 12th, 2026, we received a submission for an Arbitrary File Upload vulnerability in WPvivid Backup, a WordPress plugin with more than 800,000 active installations. This vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. Please note that this vulnerability only critically affects users who have a generated key in the plugin settings to allow another site to send a backup to their site. This feature is disabled by default, and the key expiration can only be set to a maximum of 24 hours.
Props to Lucas Montes (NiRoX) who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was reported to our program just five days after it was introduced. This researcher earned a bounty of $2,145.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 22, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on February 21, 2026.
We contacted the WPvivid team on January 22, 2026, and received a response the next day. After providing full disclosure details, the developer released the patch on January 28, 2026. We would like to commend the WPvivid team for their prompt response and timely and transparent patch.
We urge users to update their sites with the latest patched version of WPvivid Backup, version 0.9.124 at the time of this publication, as soon as possible.
📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
Vulnerability Summary from Wordfence Intelligence
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library’s AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
Technical Analysis
WPvivid Backup is a WordPress plugin that contains many features for backup and restore. It is possible to receive a backup from another site, which requires a short-term generated key.
Examining the code reveals that the plugin uses the send_to_site() function in the WPvivid_Send_to_site class to handle the backup file receiving with the generated key.
public function send_to_site()
{
include_once WPVIVID_PLUGIN_DIR . '/includes/class-wpvivid-crypt.php';
$test_log=new WPvivid_Log();
$test_log->CreateLogFile('test_backup','no_folder','transfer');
$test_log->WriteLog('test upload.','notice');
try
{
if(isset($_POST['wpvivid_content']))
{
global $wpvivid_plugin;
$wpvivid_plugin->wpvivid_log=new WPvivid_Log();
$default=array();
$option=get_option('wpvivid_api_token',$default);
if(empty($option))
{
die();
}
if($option['expires'] !=0 && $option['expires']<time())
{
die();
}
$crypt=new WPvivid_crypt(base64_decode($option['private_key']));
$body=base64_decode($_POST['wpvivid_content']);
$data=$crypt->decrypt_message($body);
The plugin uses the key generated in the settings to RSA decrypt the $key value. If the value is incorrect, this $key value will be false. Unfortunately, this plugin sets this false value for Rijndael encryption, so the default null byte will be the key it uses for decryption.
public function decrypt_message($message)
{
$len = substr($message, 0, 3);
$len = hexdec($len);
$key = substr($message, 3, $len);
$cipherlen = substr($message, ($len + 3), 16);
$cipherlen = hexdec($cipherlen);
$data = substr($message, ($len + 19), $cipherlen);
$rsa = new Crypt_RSA();
$rsa->loadKey($this->public_key);
$key=$rsa->decrypt($key);
$rij = new Crypt_Rijndael();
$rij->setKey($key);
return $rij->decrypt($data);
}
This means that the default null byte key is used with an incorrect key, allowing the attacker to craft encrypted data with the null byte key. The file upload function does not contain any file type or extension checks. This ultimately makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.
As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.
We would like to draw attention once again to the fact that the vulnerability only critically affects users who have a generated key in the plugin setting, which is disabled by default, and the key expiration can only be set to a maximum of 24 hours.
The Patch
The vendor patched this issue by adding an empty check to the $key value in the decrypt_message() function.
public function decrypt_message($message)
{
$len = substr($message, 0, 3);
$len = hexdec($len);
$key = substr($message, 3, $len);
$cipherlen = substr($message, ($len + 3), 16);
$cipherlen = hexdec($cipherlen);
$data = substr($message, ($len + 19), $cipherlen);
$rsa = new Crypt_RSA();
$rsa->loadKey($this->public_key);
$key=$rsa->decrypt($key);
if ($key === false || empty($key))
{
return false;
}
$rij = new Crypt_Rijndael();
$rij->setKey($key);
return $rij->decrypt($data);
}
The vendor has also added a file extension check to the send_to_site() function, ensuring that only backup file types can be uploaded.
$safe_name = basename($params['name']);
$safe_name = preg_replace('/[^a-zA-Z0-9._-]/', '', $safe_name);
$allowed_extensions = array('zip', 'gz', 'tar', 'sql');
$file_ext = strtolower(pathinfo($safe_name, PATHINFO_EXTENSION));
if (!in_array($file_ext, $allowed_extensions, true))
{
$ret['result'] = WPVIVID_FAILED;
$ret['error'] = 'Invalid file type - only backup files allowed.';
echo wp_json_encode($ret);
die();
}
Disclosure Timeline
January 12, 2026 – We received the submission for the Arbitrary File Upload vulnerability in WPvivid Backup via the Wordfence Bug Bounty Program.
January 22, 2026 – We validated the report and confirmed the proof-of-concept exploit. We sent an initial outreach to the vendor inviting them to leverage the Wordfence Vulnerability Management Portal for managing the new vulnerability disclosure.
January 22, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
January 23, 2026 – The vendor responded and opted to utilize email for this disclosure.
January 23, 2026 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
January 28, 2026 – The fully patched version of the plugin, 0.9.124, was released.
February 21, 2026 – Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed an Arbitrary File Upload vulnerability within the WPvivid Backup plugin affecting versions 0.9.123 and earlier. This vulnerability allows unauthenticated threat actors to execute malicious code on the server. The vulnerability has been fully addressed in version 0.9.124 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of WPvivid Backup as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 22, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on February 21, 2026.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 800,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in WPvivid Backup WordPress Plugin appeared first on Wordfence.
