CVE-2026-1357
published 2026-02-11CVE-2026-1357: The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
32.71%
98.1th percentile
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2026-1357 exploitation attempts by monitoring POST requests containing the 'wpvivid_action=send_to_site' parameter, which is the attack vector for unauthenticated arbitrary file upload. ↗
- →The Nuclei PoC template uses a specific encoded payload in the 'wpvivid_content' POST body parameter; monitor for large base64-encoded POST bodies to the WordPress root endpoint with wpvivid_action=send_to_site. ↗
- →Monitor for unexpected PHP files appearing in wp-content/uploads/ or other publicly accessible WordPress directories, which would indicate successful directory traversal exploitation of CVE-2026-1357. ↗
- →PCPJack drops files under /var/lib/.spm/ and installs a systemd service named sys-monitor.service; hunt for these paths and service names as persistence indicators post-exploitation. ↗
- →PCPJack exfiltrates credentials to Telegram; each chunk is prepended with a 🔒 emoji after base64 encoding. Monitor outbound traffic to Telegram API endpoints for this pattern. ↗
- →The PCPJack crypto_util module uses a hardcoded X25519 recipient public key '_RPK = "6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo="'; presence of this string in memory or on disk is a strong indicator of compromise. ↗
- →Use the FOFA/Shodan queries from the Nuclei template to identify exposed WordPress instances running the vulnerable wpvivid-backuprestore plugin as potential targets. ↗
- →PCPJack self-deletes bootstrap.sh after execution (rm -f "$0"); forensic investigation should focus on residual artifacts in /var/lib/.spm/ and the installed Python virtual environment rather than the initial script. ↗
- ·Exploitation requires a valid session key within its 24-hour validity window, limiting the realistic exploitation window even when the feature is enabled. ↗
- ·The null-byte AES key attack works because phpseclib treats a boolean false (returned by failed openssl_private_decrypt) as a string of null bytes; this is a library behavior quirk that may differ across phpseclib versions. ↗
- ·PCPJack's crypto_util module silently falls back to sending credentials in plaintext if the cryptography Python library is not installed, meaning some exfiltration may be unencrypted and easier to detect in transit. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3cvp-fw5m-7w6r: The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up
ghsa_unreviewed·2026-02-11
CVE-2026-1357 [CRITICAL] CWE-434 GHSA-3cvp-fw5m-7w6r: The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to
VulnCheck
wpvivid migration\,_backup\,_staging Unrestricted Upload of File with Dangerous Type
vulncheck·2026·CVSS 9.8
CVE-2026-1357 [CRITICAL] wpvivid migration\,_backup\,_staging Unrestricted Upload of File with Dangerous Type
wpvivid migration\,_backup\,_staging Unrestricted Upload of File with Dangerous Type
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filen
No detection rules found.
Nuclei
WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2026-1357 [CRITICAL] WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload
WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload
WPvivid Backup & Migration plugin for WordPress <= 0.9.123 contains an unauthenticated arbitrary file upload vulnerability caused by improper error handling in RSA decryption and lack of path sanitization, letting unauthenticated attackers upload arbitrary PHP files and achieve remote code execution via wpvivid_action=send_to_site parameter.
Template:
id: CVE-2026-1357
info:
name: WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload
author: omarkurt
severity: critical
description: |
WPvivid Backup & Migration plugin for WordPress <= 0.9.123 contains an unauthenticated arbitrary file upload vulnerability caused by improper error handling in RSA decryption and lack of path sanitization, letting unauthenticated attacke
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
blogs_sans_isc·2026-05-18
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17
Published: 2026-05-18. Last Updated: 2026-05-18 20:08:00 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.
Bottom line up front
Two TeamPCP events broke within 48 hours of each other and doubled attention on the campaign. Checkmarx confirmed its Jenkins AST plugin was trojanized, its third compromise in three months, validating an earlier single-researcher claim. In parallel, a new Mini Shai-Hulud worm poisoned roughly 170 npm and PyPI packages (42 @tanstack packages in about six minut
Bleepingcomputer
New PCPJack worm steals credentials, cleans TeamPCP infections
blogs_bleepingcomputer·2026-05-07·CVSS 9.1
CVE-2025-29927 [CRITICAL] New PCPJack worm steals credentials, cleans TeamPCP infections
## New PCPJack worm steals credentials, cleans TeamPCP infections
## Bill Toulas
PCPJack’s capabilities revolve mainly around credential theft, targeting cloud environments, developer systems, messenger apps, financial services, databases, SSH keys, Slack tokens, WordPress configs, OpenAI keys, Anthropic keys, Discord, DigitalOcean, and more.
The credentials are exfiltrated to Telegram channels after they are encrypted using X25519 ECDH and ChaCha20-Poly1305, and split into 2800-byte chunks respecting Telegram’s message character limits.
PCPJack propagates by scanning external cloud infrastructure for exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML, then attempts exploiting known vulnerabilities to gain access.
It also downloads hostname data from Common Crawl p
Sentinelone
PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
blogs_sentinelone·2026-05-07
CVE-2025-29927 PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
## PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
## Executive Summary
SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP, a threat actor persona who claimed several high-profile supply chain intrusions throughout early 2026.
The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.
PCPJack targets exposed services including Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, enabling both external propagation and lateral movement inside victim environments.
Unlike typical
Hackernews
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
blogs_hackernews·2026-05-07
CVE-2025-55182 PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments.
"The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in a report published today.
PCPJack is specifically designed to
Bleepingcomputer
WordPress plugin with 900k installs vulnerable to critical RCE flaw
blogs_bleepingcomputer·2026-02-12·CVSS 9.8
CVE-2026-1357 [CRITICAL] WordPress plugin with 900k installs vulnerable to critical RCE flaw
## WordPress plugin with 900k installs vulnerable to critical RCE flaw
## Bill Toulas
A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress, installed on more than 900,000 websites, can be exploited to achieve remote code execution by uploading arbitrary files without authentication.
The security issue is tracked as CVE-2026-1357 and received a severity score of 9.8. It impacts all versions of the plugin up to 0.9.123 and could lead to a complete website takeover.
Despite the severity of the issue, researchers at WordPress security company Defiant say that only sites with the non-default “receive backup from another site” option enabled are critically impacted.
Furthermore, attackers have a 24-hour exploitation window, which is the validity of the generated k
Wiz
CVE-2026-1357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1357 [CRITICAL] CVE-2026-1357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1357 :
WordPress vulnerability analysis and mitigation
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the dec
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.122/includes/class-wpvivid-crypt.php#L58https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.122/includes/customclass/class-wpvivid-send-to-site.php#L629https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.123/includes/class-wpvivid-crypt.php#L58https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.123/includes/customclass/class-wpvivid-send-to-site.php#L629https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid-crypt.php#L58https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/customclass/class-wpvivid-send-to-site.php#L629https://plugins.trac.wordpress.org/changeset/3448386/wpvivid-backuprestore#file1https://www.wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37?source=cve
2026-02-11
Published
Exploited in the wild